On Friday, security experts from all over the world were in a hurry and raced in order to manage in patching one of the worst computer vulnerabilities – a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software. Joe Sullivan, who is a chief security officer for Cloudflare, said:
“I’d be hard-pressed to think of a company that’s not at risk,” His online infrastructure protects websites from malicious actors.
The computer emergency response team of New Zealand was one of the first who reports that the flaw in a Java-language utility for Apache servers used to log user activity was being exploited just hours after it was publicly reported on Thursday and then a patch was released.
The so-called ‘Log4Shell,’ vulnerability was rated 10 on a scale of one to 10, which is the worst possible. This means that anyone with the exploit can get full access to an unpatched machine. Adam Meyers, who is a senior vice president of intelligence at the cybersecurity firm Crowdstrike, said:
“The internet’s on fire right now. People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it. In the last 12 hours, it has been fully weaponized.”
The foundation said that the vulnerability in the Apache Software Foundation was firstly discovered on November 24 by the Chinese tech giant Alibaba. Although Meyers expected computer emergency response teams will have a busy weekend because trying to identify all impacted machines, the real problem is in the affected software which can be in programs provided by third parties. The exploitation was firstly discovered in Minecraft, which is an online game hugely popular with kids and owned by Microsoft.
Meyers and Marcus Hutchins, who is a security expert, said that Minecraft users had already been using it to execute programs on the computers of other users by pasting a short message in a chatbox.
Some researchers reported finding evidence the vulnerability could be exploited in servers run by companies including Apple, Amazon, Twitter, and Cloudflare.
According to Cloudflare’s Sullivan, his company was not compromised, as there is a lack of indication about it. However, when requested for a comment, Apple, Amazon, and Twitter did not immediately respond.