Cybersecurity officials at large tech companies are trying to fix a fatal bug in widely used Internet software that security experts have warned could spark another round of cyberattacks.
The bug hidden in obscure server software called Log4j has prompted research into the depth of the problem
Cisco Systems Inc.,
according to the company.
Amazon, the world’s largest cloud computing company, said in a security warning: « We are actively monitoring this problem and are working to address it. »
The Cybersecurity and Infrastructure Security Agency des The Department of Homeland Security issued a warning about the vulnerability on Friday urging companies to take action. CISA Director Jen Easterly added on Saturday: « To be clear, this vulnerability poses a serious risk. We will only minimize its potential impact through a concerted effort between government and the private sector. »
Software providers that integrate Log4j into their products such as
International Business Machines Corp.
said they were providing patches.
« ‘It’s one of the most significant weak spots I’ve seen in a long time. » »
Because the flaw is easy to exploit and attacks are difficult to block, the Log4j problem could be used by hackers to break into corporate networks for years to come, said Aaron Portnoy, chief scientist at the security firm Randori. « It’s one of the most significant vulnerabilities I’ve seen in a long time, » he said.
The bug allows hackers to convert the log files that track user activity on computer servers into malicious instructions that control the computer force them to download unauthorized software, giving them a bridgehead on a victim’s network.
The problem was reported late last month to the Log4j development team, a group of volunteer programmers who distribute their software for free through the Apache Software Foundation, says Ralph Goers, a volunteer in the project. The foundation is a non-profit group that oversees the development of many open source programs.
« It’s a very critical topic, » said Mr. Goers. « People have to upgrade to get the solution. » Log4j is used on servers to keep a record of users’ activities so that they can later be reviewed by security or software development teams.
Since Log4j is distributed free of charge, it is unclear how many servers are affected by the bug, but the logging software has been downloaded millions of times, Goers said.
It’s not the first time the open source software has raised security concerns. In 2014, internet users worldwide were urged to reset their passwords after another problem known as Heartbleed was discovered in OpenSSL, an obscure but similarly ubiquitous internet software developed by volunteers.
Hackers started early Friday, exploiting the latest bug to gain access to running servers
Minecraft game software, researchers said. But they soon saw widespread scans and attempts to trigger the Log4j bug over the Internet. In a note posted on Friday, Microsoft advised Minecraft users to update their software to fix the bug.
A weekly roundup of tech reviews, headlines, columns, and your questions asked by the personal tech gurus at WSJ to be answered.
During a period of approximately 24 hours, the security company Check Point Software Technologies Ltd. claimed to have seen more than 100,000 attempts to exploit the bug – around half of them by malicious cyber attackers. The rest came from legitimate researchers, either from governments scanning national infrastructure or from security researchers, CheckPoint said.
A Dutch researcher, Cas van Cooten, said he had the bug. discovered
by Apple Inc
Servers that may allow it to run code within the Apple network. Van Cooten said he reported the problem to Apple immediately.
« It would have been trivial for a malicious hacker to turn this into a weapon, » he said. An Apple spokesperson didn’t respond to messages asking for comment.
Another researcher, Carson Owlett, said consultants working with his security firm Black Mirage LLC were able to spot the bug on other companies’ systems, including Twitter and LinkedIn, which is also owned by Microsoft.
« Our teams are looking into this, but we don’t have any details at the moment, » a Twitter spokeswoman said on Friday via email. A LinkedIn spokeswoman said via text message, « While we’re responding, like many corporate security teams, we don’t have an active problem. »
Because servers log all kinds of data – everything from email addresses to web navigation requests – these attempts could give attackers access to a vulnerable server deep within corporate networks, said Ryan McGeehan, an independent security consultant and former security director. at Facebook. « A successful attack is like creating a wormhole, » he said. “The attacker can’t be sure where he’ll end up.” However, security experts warned that although researchers may have discovered the Log4j bug on tech company websites, many of them implemented other processes that prevent it would have a malicious hacker execute software and break into these companies.
Cisco is investigating more than 150 of its products to look for the Log4j bug. So far, three susceptible products have been found and 23 have been found not to be susceptible, a company spokesman said on Saturday.
Vulnerability,Log4j,Computer security,Zero-day,Vulnerability, Log4j, Computer security, Zero-day,,
Donnez votre avis et abonnez-vous pour plus d’infos
Vidéo du jour: