Log4J bug hits everything, everywhere

Engineers at Google and scores of other tech companies have endured a less than pleasant couple of weeks, ever since the discovery of the log4j bug.  It has been described as the most serious data breach ever, due to the sheer volume of online services that use the log4j code, which helps applications track their activity.  So widespread is the use of this code, which is part of the Java programming language, that it has led to the U.S. Cybersecurity and Infrastructure Security Agency’s security director, Jen Easterly, to say that it is “the most serious vulnerability I have seen in my decades-long career.”

Reports quickly came in once infosec experts realized that asking log4j to log a piece of malicious code actually causes that code to be run.  Hackers can then use this to hijack the system.  Which is not something you want.  Since log4j is embedded in so many pieces of technology around the world, moving away from the compromised lock will inevitably take time.  That isn’t even counting those who will end up standing pat, ignoring the danger or assuming it isn’t a big enough risk to justify changing.  Some of the biggest names affected, that run this code in their operations, include Google, Microsoft, Amazon, IBM and Oracle.  NASA craft on Mars also fall under this umbrella, along with more mundane but ubiquitous items like TVs, smart devices and video games, like the popular title Minecraft.

For hackers, it must feel like anything and everything is up for grabs.  There are so many opportunities from this bug, I imagine they don’t even know where to start.  Some must, however, as reports have come out that hackers had already tried breaking into almost half of all corporate networks worldwide.  Earlier this month, moreover, Iranian state-backed hackers tried to use the log4j exploit to break into Israeli targets.  It really is a bit of a free for all.  Everyone is scrambling to either prevent the vulnerability from hitting them where it hurts or to exploit it.

As a result, engineers at Google and elsewhere have seen around the clock work that has caused everyone major headaches.  For all this complexity, however, the strategies for fighting this new threat are the same as ever for the average user.  Staying on guard for phishing emails, as well as ensuring all apps are updated and any patches downloaded, can assist the security industry while it works to correct this bug.

(Note: None of NetLib Security’s products incorporate Java or the log4j component, instead utilizing Windows Event Log and the native Windows SDK to log messages, and are not impacted by this bug)


By: Jonathan Weicher, post on December 29, 2021
Originally published at: https://www.netlibsecurity.com
Copyright: NetLib Security