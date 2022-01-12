On December 9, when the Apache Software Foundation disclosed a massive vulnerability in Log4j, its Java logging library, it triggered a cat-and-mouse game as IT professionals raced to secure their systems against cybercriminals looking to exploit a huge, now-known, issue. Among them were clients of George Glass, head of threat intelligence at governance and risk company Kroll. “Certain companies we spoke to knew there were applications that were impacted,” he says. The problem? They didn’t have access to them. “Maybe it’s a SaaS platform or it’s hosted somewhere else,” he says. They weren’t able to patch the Log4j binary itself, and instead faced a tricky decision: Turn off that specific application and stop using it, potentially refiguring their entire IT infrastructure, or take the risk that the third-party fix would come quicker than the state-sponsored and private hackers trying to take advantage.

