‘The internet’s on fire’ as techs race to fix software flaw

Dec 10, 2021, 12:36 PM | Updated: Dec 13, 2021, 4:29 pm

BOSTON (AP) — A critical vulnerability in a widely used software tool — one quickly exploited in the online game Minecraft — is rapidly emerging as a major threat to organizations around the world.

“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.” He said Friday morning that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponized,” meaning malefactors had developed and distributed tools to exploit it.

The flaw may be the worst computer vulnerability discovered in years. It was uncovered in a utility that’s ubiquitous in cloud servers and enterprise software used across industry and government. Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.

“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.

Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.

The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software,

Experts said the extreme ease with which the vulnerability lets an attacker access a web server — no password required — is what makes it so dangerous.

New Zealand’s computer emergency response team was among the first to report that the flaw was being “actively exploited in the wild” just hours after it was publicly reported Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

But patching systems around the world could be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

Yoran, of Tenable, said organizations need to presume they’ve been compromised and act quickly.

The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued a software update for Minecraft users. “Customers who apply the fix are protected,” it said.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Cloudflare’s Sullivan said there we no indication his company’s servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

Associated Press

Baby’s father charged in slaying of stroller-pushing NYC mom

NEW YORK (AP) — The ex-boyfriend of a New York City woman shot dead Wednesday as she pushed their infant daughter in a stroller has been arrested and charged with killing her, police said Friday. Slain mother Azsia Johnson’s family identified suspect Isaac Argro as the baby’s father and said he routinely abused Johnson, beating […]
20 hours ago
Associated Press

Judge: Sheriff must post bail after anti-harassment order

TACOMA, Wash. (AP) — The sheriff of Pierce County, Washington, was ordered to post $100,000 bail while he awaits trial on false-reporting charges related to his controversial confrontation last year with a Black newspaper carrier. Judge Jeffrey Jahns on Friday imposed the bail — 10 times the amount requested by prosecutors — during a hearing […]
20 hours ago
FILE - Lights illuminate a coal mine at twilight, Jan. 13, 2022, in Kemmerer, Wyo. With the nearby ...
Associated Press

Court leaves dwindling paths for Biden’s climate mission

WASHINGTON (AP) — More than 500 days into his presidency, Joe Biden’s hope for saving the Earth from the most devastating effects of climate change may not quite be dead. But it’s not far from it. A Supreme Court ruling Thursday not only limited the Environmental Protection Agency’s ability to regulate climate pollution by power […]
20 hours ago
Associated Press

Sheriff: People getting out of Texas trailer were work crew

SAN ANTONIO (AP) — A group of people who were spotted getting in and out of a parked semitrailer in San Antonio were part of a work crew, not a human-smuggling operation, authorities said Friday. Authorities checked the vehicle after someone alerted a deputy constable to it, just days after 53 migrants died when they […]
20 hours ago
Lauren Wright, a Navy spouse whose family was sickened by jet fuel in their tap water, shows her su...
Associated Press

Distrust remains after Navy report on tainted Hawaii water

HONOLULU (AP) — Lauren Wright continues to be leery of the water coming out of the taps in her family’s U.S. Navy home in Hawaii, saying she doesn’t trust that it’s safe. Wright, her sailor husband and their three children ages 8 to 17 were among the thousands of people who were sickened late last […]
20 hours ago
FILE - Joey Gilbert waits before a Republican primary debate for Nevada governor Wednesday, May 25,...
Associated Press

Clerks complete recount of Nevada Republican governor’s race

RENO, Nev. (AP) — County election officials wrapped up a two-day statewide recount of ballots in the Nevada GOP primary for governor Friday and the outcome did not appear to change in the state’s two most populous counties, showing second-place finisher Joey Gilbert losing to Clark County Sheriff Joe Lombardo in a crowded field. The […]
20 hours ago

Sponsored Articles

(Courtesy Condor)...
Condor Airlines

Condor Airlines shows passion for destinations from Sky Harbor with new-look aircraft

Condor Airlines brings passion to each flight and connects people to their dream destinations throughout the world.
...
Day & Night Air Conditioning, Heating and Plumbing

Most plumbing problems can be fixed with regular maintenance

Instead of waiting for a problem to happen, experts suggest getting a head start on your plumbing maintenance.
...
Arizona Division of Problem Gambling

Arizona Division of Problem Gambling provides exclusion solution for young sports bettors

Sports betting in Arizona opened a new world to young adults, one where putting down money on games was as easy as sending a text message.
‘The internet’s on fire’ as techs race to fix software flaw