The Log4j zero-day vulnerability is a considerable risk for internet security. Companies worldwide are scrambling to update their servers and patch the issue, but it will not be easy. The vulnerability comes from the Java logging utility, an open-source Apache framework that attackers can exploit and compromise computer systems without entering a password.
Developers use this framework to track the record of activity within an application. While Java is not the most popular programming language these days, its Log4h library is still used by enterprise systems, which is why it is expected that many popular services will be affected.
The vulnerability so easily passed around that security experts have noticed it being used in the popular Microsoft game – Minecraft. By sending simple lines of text via the in-game chat, hackers were able to access other systems before Microsoft patched the flaw. Some hackers have even developed tools that automatically exploit the flaw and worms that can spread from one vulnerable system to another.
Because of the scale of the attacks, some are calling it the biggest hack in internet history.
The biggest concern with this hack is that it cannot be fixed with a single large-scale patch, but each company needs to issue fixes to prevent a breach. Unfortunately, not all of them will be able to release patches immediately if they are running on legacy software. As far as individuals go, there is not much they can do except wait for enterprises to release updates.
While some security-aware organizations may look to address this issue immediately, others may take a few weeks, or they may never even look at it. It is extremely easy for the hacker to exploit the flaw, as all he/she must do is to strategically send malicious code strings and wait for them to get logged by version 2.0 of Log4j or higher. After that, the attacker can load Java code into the affected server and take control of it.
A few government cybersecurity agencies around the world posted warnings about the Log4j vulnerability, including the US Cybersecurity and Infrastructure Security Agency.
“Vulnerabilities are like sunrises, when you miss an opportunity to patch it, the heat from Evil Hacker exploitation takes over your day.” says Dr. Ondrej Krehel, Founder and CEO of LIFARS, LLC.
It is currently unknown how widespread the problem is, but many popular companies like Apple, Amazon, and others are potential victims.
