Why This Massive Security Flaw Affects Nearly The Entire Internet

A major cybersecurity vulnerability affects nearly the entire internet, scrambling everything from financial institutions to government agencies to patch their systems before cybercriminals and nation-states can launch cyberattacks.

The flaw, also known as the Log4j vulnerability, affects a piece of open-source logging software that helps developers understand how their programs work. The idea is to help companies understand potential bugs or performance issues in their own software.

But Log4j, which is part of the software offered by the open source Apache Software Foundation, can be exploited to allow attackers to take over the computers and networks of any organization running the program.

Patches have already been released, but applying them is another story. Organizations, both government and private, are notoriously slow when it comes to updating their software.

“It’s a very, very serious problem,” associate professor Justin Cappos of the NYU Tandon School of Engineering told Yahoo Finance. “Because it’s part of the software supply chain, many different pieces of software can be affected.”

The fear is that the flaw could be used by attackers to take remote control of any unpatched system and use them as their own. According to experts, this could give cybercriminals the tools to do everything from stealing user data to taking over the real infrastructure.

The danger of Log4j

The Log4j vulnerability is dangerous for two reasons: how widely the software is used and how attackers can exploit the flaw.

“If you have the vulnerability and I take advantage of it, that means I can run my code on your machine,” explains Herb Lin, a senior researcher at the Center for International Security and Cooperation at Stanford University. “So now it’s like I’m on your machine, and now I can do all you can do.”

According to Lin, that could be things like stealing emails, destroying files, and installing ransomware. And the potential damage doesn’t stop there.

“I can now take over the generator your computer is connected to, the telephone exchange or the chemical plant and so on,” Lin said. “So that’s the problem. The vulnerability stems from the fact that this code has been part of millions and millions and millions of installations around the world.”

The Log4j error can be used to do everything from attacking corporate email systems to affecting the real infrastructure.  (Image: Getty)

The Log4j error can be used to do everything from attacking corporate email systems to affecting the real infrastructure. (Image: Getty)

Another major problem is the fact that as an individual, you have no control over whether the Internet companies you trust to protect your files will quickly deploy the correct patches.

“If there’s a bug in Microsoft Word, maybe I can say, ‘Oh, I don’t use Microsoft Word. I don’t have to worry about this, right? But here’s the problem, you might not even know where the software is being used,” Cappos says.

Criminals and nation states are already trying to exploit the vulnerability

According to Microsoft’s threat intelligence team, most attacks related to the Log4j vulnerability were related to scan attempts. That means the attackers try to see if potential victims are vulnerable to attack.

Think of it as a burglar trying the door locks on a row of cars parked in a dark street. The cyber criminals are essentially trying to see who has locked their doors and who hasn’t.

Some hackers, meanwhile, are already using the flaw to carry out attacks, including installing cryptominers on victims’ machines, stealing user credentials, and stealing data from compromised systems.

Microsoft (MSFT) says groups in Turkey, China, Iran and North Korea are also developing the means to take advantage of the Log4j flaw. And some Iranian and Chinese groups are already using the exploit to bolster their own existing cyberattack capabilities.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has already instructed federal civilian agencies to patch their systems and has advised non-federal partners to do the same.

Patching the internet isn’t easy

To fix an issue like the Log4j error, companies using the software need to download the appropriate patch. But companies need time to implement the latest software. That’s because large organizations also need to make sure that the patch doesn’t affect their own programs.

More cynically, some companies simply don’t follow cybersecurity best practices and so don’t patch their systems in a timely manner or at all.

What can you do? Actually nothing. The Log4j error is not something that most individual users can address. It is up to the companies that have their information to tackle the exploit themselves. And if they don’t, your data could leak into the wild.

Sign up for the Yahoo Finance Tech Newsletter

More from Dan

Follow Yahoo Finance on Twitter, facebook, Instagram, flip board, LinkedIn, YouTube, and reddit

Do you have a tip? Email Daniel Howley at dhowley@yahoofinance.com via encrypted email at danielphowley@protonmail.com, and follow him on Twitter at @DanielHowley.

Leave a Comment