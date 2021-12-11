ContributorsPublishersAdvertisers
Computers

'The internet's on fire' as techs race to fix software flaw

ABC News
ABC News
 2 days ago

https://img.particlenews.com/image.php?url=1DxwhC_0dJf8fCQ00

A critical vulnerability in a widely used software tool — one quickly exploited in the online game Minecraft — is rapidly emerging as a major threat to organizations around the world.

“The internet’s on fire right now," said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch,” he said, "and all kinds of people scrambling to exploit it." He said Friday morning that in the 12 hours since the bug's existence was disclosed that it had been "fully weaponized,” meaning malefactors had developed and distributed tools to exploit it.

The flaw may be the worst computer vulnerability discovered in years. It was uncovered in a utility that's ubiquitous in cloud servers and enterprise software used across industry and government. Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.

“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.

Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.

The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software,

Experts said the extreme ease with which the vulnerability lets an attacker access a web server — no password required — is what makes it so dangerous.

New Zealand's computer emergency response team was among the first to report that the flaw was being “actively exploited in the wild" just hours after it was publicly reported Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

But patching systems around the world could be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

Yoran, of Tenable, said organizations need to presume they’ve been compromised and act quickly.

The first obvious signs of the flaw's exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued a software update for Minecraft users. “Customers who apply the fix are protected,” it said.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Cloudflare's Sullivan said there we no indication his company's servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.

Comments / 0

Related
The Independent

Microsoft Windows starts telling users off if they try to download Google’s Chrome browser

Microsoft has started telling off Windows users if they try and download the rival Chrome browser.If users navigate to the page to download Chrome on their Windows computer, they will see an array of pop-ups that gently chide them for trying to download Google’s alternative.Instead, they are encouraged to use Microsoft’s built-in Edge browser.The notifications appear differently from normal Edge notifications, and as such seem to have been coded into Windows itself. They are showing on both Windows 10 and 11.Some of the prompts are more dry, simply claiming that Edge is a better browser and users should download it....
SOFTWARE
The US Sun

Google warns MILLIONS of Gmail users about Russian hack attack

GOOGLE has warned of a cyber attack spearheaded by Russian hackers that targeted users of Gmail. In a report published Monday, the US search giant said that the campaign aimed to steal people's login credentials using phoney emails sent to their inboxes. The attack took aim at more than 12,000...
INTERNET
notebookcheck.net

Joker malware discovered in multiple apps with thousands of installs on the Google Play Store

A malware analyst for Kaspersky, Tatyana Shishkova, has been tracking the appearance of Joker malware on numerous apps that have been available at some point on the Google Play Store. While some of the apps have registered barely any installs, quite a few have had thousands of downloads. The Joker malware has made numerous appearances over the years, with our last report on it detailing how it can access contacts and SMS messages without user permission.
TECHNOLOGY
gitconnected.com

Software Interviews Suck —Let’s Fix Them

In my 7 or so years as a developer, I’ve had my share of terrible interviews (on both sides). I can count on one hand the number of good interviews. Why is this? Why is the prevailing sentiment that software interviews generally suck? Is it that engineering is just so tragically difficult that there’s no room for enjoyment? Hardly. Here are 7 easy steps to restore humanity to the software developer interview process.
COMPUTERS
RELATED PEOPLE
Person
Joe Sullivan
HackRead

About 10 million Android devices found infected with Cynos malware

In total, researchers have identified around 190 malware-infected games, some of which were designed to specifically target Russian users, whereas some targeted Chinese and foreign users. Researchers from Doctor Web have shared details of a mobile campaign that infected at least 9.3 million Android devices. Reportedly, a new class of...
CELL PHONES
helpnetsecurity.com

Kafdrop flaw allows data from Kafka clusters to be exposed Internet-wide

Researchers at Spectral discovered a security flaw in Kafdrop, a popular open-source UI and management interface for Apache Kafka clusters that has been downloaded more than 20 million times. Kafdrop security flaw. Companies affected range from major global players to smaller organizations in healthcare, insurance, media, and IoT – basically...
SOFTWARE
Daily Mail

'The internet is on fire': 'Fully weaponised' software flaw 'that could be the biggest in the history of modern computing' poses a threat to internet-connected devices worldwide

A critical vulnerability in a widely used software tool - one quickly exploited in the online game Minecraft - is rapidly emerging as a major threat to organizations around the world. 'The internet´s on fire right now,' said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike....
INTERNET
IN THIS ARTICLE
#Enterprise Software#Tech#Software Update#Crowdstrike#Tenable
Telegraph

Amazon hit by IT issues wreaking havoc on US home deliveries

Amazon has been hit by technical problems that saw thousands of customers struggle to access services such as its Prime streaming channels, voice assistant Alexa and smart doorbell Ring. The issues stemmed from an outage at a cloud centre in Virginia and were also reported to have affected companies that...
BUSINESS
siliconangle.com

Critical vulnerability found in open-source tool used by Apple, Microsoft and others

A newly discovered cybersecurity vulnerability in Apache Log4j, an open-source software tool used by numerous companies, could enable hackers to install malware on affected systems. The Apache Software Foundation, which oversees development of Log4j, issued a patch for the vulnerability this morning. The organization also released guidelines on how users...
SOFTWARE
mit.edu

3 Questions: Can we fix our flawed software?

Sometimes, software is just like us. It can be bloated, slow, and messy. Humans might see a doctor if these symptoms persist (maybe not for messiness), but rarely do we push a flawed software program to go see its developer time and time again. The answer to why our software...
SOFTWARE
YOU MAY ALSO LIKE
NewsBreak
Microsoft
NewsBreak
Apple
NewsBreak
Technology
NewsBreak
Computers
NewsBreak
Twitter
NewsBreak
Alibaba
NewsBreak
Amazon
NewsBreak
Minecraft
techviral.net

How To Detect & Block Malicious Google Chrome Extensions

If you use Google Chrome, surely you have a handful of installed extensions that allow you to add extra features to the browser. Basically, all these extensions are small applications or tools that give Chrome certain features and functions. However, since the extension you install might have control over your browser, it may become quite dangerous if we do not control exactly what they do.
INTERNET
Android Central

How to get Google Assistant to read web pages to you

Google added a really handy feature to Google Assistant at CES 2020, enabling Android phone users to have web pages read out to them. There are numerous applications for the "Read It" feature, especially for the visually impaired. Here's how you can get Google Assistant to read web pages out to you.
TECHNOLOGY
ucsd.edu

Who’s got your mail? Google and Microsoft, mostly

Who really sends, receives and, most importantly perhaps, stores your business’ email? Most likely Google and Microsoft, unless you live in China or Russia. And the market share for these two companies keeps growing. That’s the conclusion reached by a group of computer scientists at the University of California San...
INTERNET
theregister.com

Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely-used logging utility

An unauthenticated remote code execution vulnerability in Apache's Log4j Java-based logging tool is being actively exploited, researchers have warned after it was used to execute code on Minecraft servers. Infosec firm Randori summarised the vuln in a blog post, saying: "Effectively, any scenario that allows a remote connection to supply...
SOFTWARE
The Next Web

The Log4j bug exposes a bigger issue: Open-source funding

While you were watching the F1 title decider between Max Verstappen and Lewis Hamilton or excited for the Succession finale, companies running the internet were scared shitless. You might not have noticed it because services like Twitter, Facebook, Gmail, and smaller ones all stayed up. But a bug in an...
COMPUTERS
ABC News

ABC News

473K+
Followers
121K+
Post
242M+
Views
ABOUT

Straightforward news, context and analysis.

 https://abcnews.go.com

Comments / 0

Community Policy