Crowdstrike's senior vice president of intelligence Adam Meyers said that "the internet is on fire right now." "People are scrambling for patch," he stated. He also said that the bug had been "fully weaponized" in that malefactors had distributed the tools necessary to exploit it.
This flaw could be the most serious computer vulnerability ever discovered. This vulnerability was discovered in an utility that is used in enterprise software and cloud servers across government and industry. It is a vulnerability that if not fixed will allow criminals, spies, and programming novices easy access to internal networks, where they can steal valuable data, plant malware and erase critical information.
Joe Sullivan, Cloudflare's chief security officer, said that "I would be hard-pressed not to think of a business that's at risk." Cloudflare's online infrastructure protects websites against malicious actors. Experts say the impact of this technology will not be known until several days after it is installed on untold millions more servers.
Tenable CEO Amit Yoran called it "the single largest, most critical vulnerability in the last decade" -- possibly the greatest in modern computing's history.
The vulnerability, known as Log4Shell, was rated 10 by the Apache Software Foundation. This foundation oversees the development of the software. Anyone can exploit the vulnerability to gain full access on any unpatched computer running the software.
Experts believe the vulnerability's extreme accessibility to a web server is what makes it so dangerous.
The computer emergency response team of New Zealand was the first to announce that the flaw was being "actively exploited by the wild" within hours of it being publicly reported on Thursday. A patch was also released.
It was discovered in Apache open-source software that is used to run web sites and other services. Alibaba reported the vulnerability to the foundation on November 24, it stated. It took two weeks for the fix to be developed and released.
However, patching systems across the globe could prove difficult. Although most companies and cloud providers like Amazon should be able update their web servers quickly, many Apache softwares are embedded in third-party applications that can't be updated.
Yoran of Tenable said that organizations should assume they have been compromised and respond quickly.
Minecraft, a popular online game owned by Microsoft, was the first to show signs of the flaw being exploited. Marcus Hutchins, security expert and Meyers both claimed that Minecraft users had already used it to run programs on other computers by simply entering a message into a chat box.
Microsoft stated that it had released a software update to Minecraft users. It stated that customers who apply the fix will be protected.
Researchers found evidence that the vulnerability could have been exploited by servers owned by companies like Amazon, Apple, Twitter, and Cloudflare.
Cloudflare's Sullivan stated that there was no evidence that his company's servers were compromised. Apple, Amazon, and Twitter didn't immediately respond to our requests for comment.