Security teams at companies large and small are scrambling to fix a previously unknown vulnerability called Log4Shell, which has the potential to allow hackers to infiltrate millions of devices across the Internet.
If the vulnerability is exploited, it allows remote code execution on vulnerable servers, giving the attacker the ability to import malware that would compromise devices.
The vulnerability was found in log4j, an open source logging library used by applications and online services.
Logging is a process in which applications maintain a running list of the activities they have performed that can be reviewed later in the event of an error.
Almost every network security system runs some kind of logging process, giving popular libraries like log4j massive access.
Marcus Hutchins, a prominent security researcher known for stopping the global WannaCry malware attack, noted online that millions of apps are affected.
Zagal Hutchins tweeted: Millions of apps use Log4j to score, and all an attacker needs to do is make the app log a private string.
The vulnerability was first seen across sites hosting Minecraft servers. An attacker could operate the vulnerability by publishing chat messages.
A tweet from security analytics firm GrayNoise stated that it had discovered several servers searching the Internet for devices vulnerable to the exploit.
Several services are vulnerable to this exploit, said a blog post from application security company LunaSec. Cloud services like Steam and iCloud have been discovered to be at risk.
To exploit the vulnerability, the attacker would have to cause the application to save a special string of characters in the registry.
And because applications routinely log a wide variety of events, the vulnerability is easy to exploit. It can also be operated in several ways.
Cloudflare's chief technology officer said: "This is a very serious problem due to the widespread use of Java and this log4j package. There is a huge amount of Java programs connected to the Internet and back-end systems.
He added: "There are two exploits of equal severity that have emerged over the past 10 years, namely Heartbleed and Shellshock.
The first exploit allowed to get information from servers that should have been secure. While the second exploit allowed the code to be run via a remote machine.
However, the diversity of applications vulnerable to exploitation, and the range of possible delivery mechanisms, means that firewall protection alone does not eliminate the risk.
In theory, the exploit could be carried out by hiding the attack chain in a QR code that was scanned by the parcel delivery company. This means that the vulnerability makes its way into the system without being sent directly over the Internet.
An update to the log4j library has been released to mitigate the security issue. But given the time it takes to ensure that all devices at risk are up to date, Log4Shell remains a pressing threat.
