Global tech experts race to fix ‘fully weaponised’ software flaw

10 December 2021, 23:54

Laptop
Laptop User Stock. Picture: PA

The flaw may be the worst computer vulnerability discovered in years.

A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.

“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike.

“People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it.”

He said on Friday that in the 12 hours since the bug’s existence was disclosed it had been “fully weaponised”, meaning malefactors have developed and distributed tools to exploit it.

The flaw may be the worst computer vulnerability discovered in years. It opens a loophole in software code that is ubiquitous in cloud servers and enterprise software used across industry and government.

It could allow criminals or spies to loot valuable data, plant malware or erase crucial information, and much more.

“I’d be hard pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors.

Untold millions of servers have it installed, and experts said the fallout would not be known for several days.

Amit Yoran, chief executive of cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.

The vulnerability, dubbed Log4Shell, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the software.

New Zealand’s computer emergency response team was among the first to report that the flaw was being “actively exploited in the wild”, hours after it was publicly reported on Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was discovered on November 24 by Chinese tech giant Alibaba, the foundation said.

Finding and patching the software could be a complicated task. While most organisations and cloud providers should be able to update their web servers easily, the same Apache software is also often embedded in third-party programmes which often can only be updated by their owners.

Mr Yoran said organisations need to presume they have been compromised and act quickly.

The flaw’s exploitation was apparently first discovered in Minecraft, an online game hugely popular with children and owned by Microsoft.

Mr Meyers and security expert Marcus Hutchins said Minecraft users had already been using it to execute programmes on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued a software update for Minecraft users, adding: “Customers who apply the fix are protected.”

Researchers reported finding evidence that the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Mr Sullivan said there were no indications his company’s servers had been compromised.

By Press Association

More Technology News

See more More Technology News

Glastonbury Festival 2019

EE expects Glastonbury data usage to double at this year’s festival

Ford geofencing technology

Ford trials geofencing tech to automatically control vehicle speed

The Duomo in Milan on Google Street View

Google Street View’s ‘time travel’ feature comes to smartphones

Facebook

Facebook and Instagram to reveal more on how ads target users

Mark Zuckerberg

Washington sues Mark Zuckerberg over Cambridge Analytica privacy breach

Google Pixel 6 and Pixel 6 Pro smartphones

More powerful cameras key to smartphone success, says Google manager

An underwater drone on a ship deck

Underwater drone carries out first-ever offshore wind farm inspection

Child uses laptop

Create watchdog to protect children online, charity says

Technology Stock

Dark web ‘scramble’ over Buffalo attack amid fears of post-pandemic attacks

Technology stock

Twitter users told to be wary of scam messages about verified accounts

Computer virus stock

Scientists create tool to kill cyber attacks in ‘less than a second’

Attorney General Suella Braverman

International law should be applied to cyberspace, Attorney General to say

Games console controller

Gaming sector in Scotland needs UK-wide network to thrive, report warns

Sir Nick Clegg

Sir Nick Clegg says the metaverse is coming ‘one way or another’

A child at a computer

Online Safety Bill fails to stop violence against women and girls, experts warn

Coders race to take part in Robot Dog Olympics

Coders take part in Robot Dog Olympics to help develop tech solutions for Army