"It will take years to tackle this while attackers will be on the lookout... on daily basis to exploit itand exploit it]," said David Kennedy the CEO of cybersecurity firm TrustedSec. "This is a ticking bomb for companies."
Here's what you need to know:
What is Log4j? Why is it important?
According to cybersecurity experts, Log4j is one the most frequently used online logging libraries. Log4j allows software developers to create a record of activity that can be used to solve problems and auditing, as well as tracking data. The library is free and open-source, so it can be used in all areas of the internet.
Minecraft Servers
"It's ubiquitous. Even if you do not use Log4j as an author, you could still be vulnerable to malware because the one open source library you are using relies on Log4j," Chris Eng of cybersecurity firm Veracode disclosed to CNN Business. "This is the nature of software it's turtles all the way down."
The software is used by corporations like Apple, IBM and Oracle, Cisco, Google, Amazon, and Cisco. It is possible to be found on popular websites and apps and a lot more devices around the globe could be vulnerable to it.
Are hackers exploiting it?
According to cybersecurity firm Cloudflare the hackers appear to have had more than a week to exploit the software flaw before it was disclosed. With such a high number of hacking attempts taking place each day, some worry that the worst is yet to come.
"Sophisticated threat actors will find ways to exploit the vulnerability to make the biggest gain," Mark Ostrowski, Check Point's director of engineering on Tuesday, said.
Microsoft released a statement late Tuesday saying that state-backed hackers, including those from China, Iran and North Korea tried to exploit the Log4j flaw.
Why is this security flaw so bad?
Experts are particularly concerned about the vulnerability as hackers could gain access to a company’s computer server, giving them access to other components of a network. It's also difficult to identify the vulnerability, or determine if a system has already been compromised according to Kennedy.
In addition, a third vulnerability in Log4j's software was discovered late Tuesday. Apache Software Foundation, a nonprofit that developed Log4j and other open software, has issued a security fix for businesses to apply.
What is the strategy of companies to address the problem?
This week, Minecraft published a blog posting announcing that a vulnerability had been discovered in a particular version of its game. It promptly issued a fix. Other companies have also taken similar steps.
US warns of hundreds of millions of devices at risk from newly revealed software vulnerability
IBM, Oracle, AWS and Cloudflare have all issued advisory notices to customers, and some have even pushed security updates or laying out their plans for patches.
"This is a serious vulnerability, but it's not as if you can click an icon to patch it like a standard major vulnerability. It will require an enormous amount of time and effort," said Kennedy.
CISA declared that it would create a public website to provide updates on software products that are affected by the vulnerability.
What can you do for your safety?
Companies are under immense pressure to act. Users should make sure that they upgrade their apps, software and devices whenever they are prompted by companies in the coming days or weeks.
What's next?
The US government has issued a warning to affected businesses to be on high alert during the holiday season for cyberattacks and ransomware.
There is a risk that an increasing number malicious actors will make use of the vulnerability in innovative ways. While large technology companies may have security teams in place to handle these potential threats however, many other companies do not.
"What I'm most worried about is school districts, hospitals and other places where there is only one IT employee who does security but doesn't have a security budget or the tools," Katie Nickels, Director Intelligence at cybersecurity company Red Canary. "Those are the companies that I am most worried about -- the small businesses with low security budgets.
No comments yet