Online security experts from around the world are working to fix one of the worst computer vulnerabilities discovered in years, a critical flaw in source code used in industry, government, cloud, and enterprise software.
"It would be hard to think of a company that wasn't at risk," said the security director at Cloudflare, whose online infrastructure protects websites from malicious actors.
The computer vulnerability, or bug, is installed in numerous computers, and experts warn that the effects of the flaw will not be known for several days. New Zealand's Computer Emergency Task Force was among the first to report that the flaw, in a Java-language utility for Apache servers used to log user activity, was being "actively exploited" within hours of its public disclosure and the release of a patch on Thursday.
The vulnerability, dubbed "Log4Shell," was rated 10 on a scale of one to 10, the worst possible. Anyone with an exploit can gain full access to an unpatched machine.
"The Internet is on fire. People are fighting to patch it and there are script kiddies [inexperienced young hackers] and all kinds of people fighting to exploit it [vulnerability]. In the last 12 hours, it's been totally turned into a weapon," said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike. The vulnerability in the Apache Software Foundation module was discovered on November 24 by Chinese tech giant Alibaba, the foundation said. Meyers expected computer emergency response teams to have a busy weekend trying to identify all affected computers. The investigation is complicated as the affected 'software' may be in programs provided by third parties.
The flaw analysis was apparently discovered in Minecraft, an online game extremely popular among children, and owned by Microsoft.
Meyers and security expert Marcus Hutchins said that Minecraft users were already using it to run programs on other players' computers by pasting a small message into a message box.
Microsoft said it has released a 'software' update for Minecraft users, noting that "customers who apply the patch are protected."
The researchers said they found evidence that the vulnerability can be found on servers of companies such as Apple, Amazon, Twitter, and Cloudflare.
Cloudflare's Sullivan said that there is no indication that his company's servers have been compromised. Apple, Amazon and Twitter have not yet commented.
https://www.dn.pt/internacional/a-internet-esta-a-incendiar-ha-um-bug-gravissimo-a-afetar-inumeros-computadores-14405825.html
