Global tech experts race to fix ‘fully weaponised’ software flaw

10 December 2021, 23:54

Laptop
Laptop User Stock. Picture: PA

The flaw may be the worst computer vulnerability discovered in years.

A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.

“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike.

“People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it.”

He said on Friday that in the 12 hours since the bug’s existence was disclosed it had been “fully weaponised”, meaning malefactors have developed and distributed tools to exploit it.

The flaw may be the worst computer vulnerability discovered in years. It opens a loophole in software code that is ubiquitous in cloud servers and enterprise software used across industry and government.

It could allow criminals or spies to loot valuable data, plant malware or erase crucial information, and much more.

“I’d be hard pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors.

Untold millions of servers have it installed, and experts said the fallout would not be known for several days.

Amit Yoran, chief executive of cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.

The vulnerability, dubbed Log4Shell, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the software.

New Zealand’s computer emergency response team was among the first to report that the flaw was being “actively exploited in the wild”, hours after it was publicly reported on Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was discovered on November 24 by Chinese tech giant Alibaba, the foundation said.

Finding and patching the software could be a complicated task. While most organisations and cloud providers should be able to update their web servers easily, the same Apache software is also often embedded in third-party programmes which often can only be updated by their owners.

Mr Yoran said organisations need to presume they have been compromised and act quickly.

The flaw’s exploitation was apparently first discovered in Minecraft, an online game hugely popular with children and owned by Microsoft.

Mr Meyers and security expert Marcus Hutchins said Minecraft users had already been using it to execute programmes on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued a software update for Minecraft users, adding: “Customers who apply the fix are protected.”

Researchers reported finding evidence that the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Mr Sullivan said there were no indications his company’s servers had been compromised.

By Press Association

More Technology News

See more More Technology News

Nadine Dorries

Nadine Dorries uses TikTok rap to explain Online Safety Bill

Apple iPhones

Accessibility tools a ‘core value’ for Apple, says director

Social media

Facebook owner Meta updates privacy policy

The Queen with her corgis

‘PJ the corgi’ Platinum Jubilee emoji unveiled on royal Twitter account

Tesla and SpaceX chief executive officer Elon Musk

Shares jump as Elon Musk revises Twitter financing plan

A child using a laptop

New digital platform launched to boost online safety lessons for children

Glastonbury Festival 2019

EE expects Glastonbury data usage to double at this year’s festival

Ford geofencing technology

Ford trials geofencing tech to automatically control vehicle speed

The Duomo in Milan on Google Street View

Google Street View’s ‘time travel’ feature comes to smartphones

Facebook

Facebook and Instagram to reveal more on how ads target users

Mark Zuckerberg

Washington sues Mark Zuckerberg over Cambridge Analytica privacy breach

Google Pixel 6 and Pixel 6 Pro smartphones

More powerful cameras key to smartphone success, says Google manager

An underwater drone on a ship deck

Underwater drone carries out first-ever offshore wind farm inspection

Child uses laptop

Create watchdog to protect children online, charity says

Technology Stock

Dark web ‘scramble’ over Buffalo attack amid fears of post-pandemic attacks

Technology stock

Twitter users told to be wary of scam messages about verified accounts