Criminal hackers and security experts are locked in a race over the vulnerability in Log4j software. Patches are being released, but the danger from the vulnerability has not yet passed, the Washington Post reports. When the number of sites, services, and devices at risk are added up, experts say, this is the greatest software vulnerability ever—caused by "a design failure of catastrophic proportions," one said, per Wired. The hole in the Java software has existed for years but only recently became widely known. Here's where the problem stands:
- The issue: The logging software keeps track of an app's activities. Cybersecurity teams realized weeks ago that when the program logs a line of malicious code, it executes it. That allows hackers to seize control of servers running Log4j.
- The reach: The software, which is available online free of charge, is everywhere—even on Mars, where it's used by NASA's Ingenuity helicopter. Google, Amazon, and Microsoft are vulnerable, as are TVs and security cameras connected to the internet.
- Difficulty factor: It's easy to exploit the hole. During a Minecraft game, typing a line of malicious code into the public chat box does the trick. On Twitter, some users changed their display names to strings of malicious code that could set off an attack.
- The response: Teams at tech companies are working around the clock, sifting through code to check it. Google, for example, had more than 500 engineers working on the problem. On Friday, Apache published patches and mitigations, per Wired.
- The damage: Hackers have tried using the flaw to access almost half the world's corporate computer networks, a cybersecurity company said. Government and business sites have been targeted by Iran-backed hackers, Check Point said.
- To be safe: As usual, watch out for phishing emails, which might start coming more frequently and could unleash the bad code, experts say. Don't open attachments or click on links, even if an email warns of a problem with your account. If you're worried, try to reach the company the old-fashioned way—by phone.
(Read more cybersecurity