A New Minecraft Bug is Threatening Brands Around the World
A critical vulnerability in a widely used software tool — one that was quickly exploited in the online game Minecraft — is quickly emerging as a major threat to organizations worldwide.
“Right now, the internet is on fire, “Crowdstrike’s senior vice president of intelligence, Adam Meyers, concurred. “People are scrambling to patch, and all kinds of people are scrambling to exploit it,” he said. He said Friday morning that the bug had been fixed in the 12 hours since its discovery “Malefactors had developed and distributed tools to exploit it, so it was “fully weaponized.”
The flaw could be the worst discovered in computer security in years. It was discovered in an open-source logging tool that is widely used in cloud servers and enterprise software in industry and government. Unless it is fixed, it allows criminals, spies, and inexperienced programmers alike easy access to internal networks where they can loot valuable data, plant malware, erase critical information, and do a variety of other things.
“I’d be hard pressed to think of a company that isn’t at risk,” said Joe Sullivan, chief security officer at Cloudflare, which protects websites from malicious actors through its online infrastructure. It has been installed on untold millions of servers, and the consequences will not be known for several days, according to experts.
Tenable CEO Amit Yoran called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in modern computing history.
The vulnerability, dubbed ‘Log4Shell,’ was rated a ten on a scale of one to ten by the Apache Software Foundation, which oversees software development. Anyone with the exploit can gain full access to an unpatched computer running the software. Experts say the vulnerability’s extreme ease of allowing an attacker to access a web server — no password required — is what makes it so dangerous.
Just hours after the flaw was publicly reported Thursday and a patch was released, New Zealand’s computer emergency response team was among the first to report that it was being “actively exploited in the wild.”
The vulnerability was discovered in open-source Apache software, which is used to run websites and other web services, and was reported to the foundation on November 24 by the Chinese tech giant Alibaba, according to the foundation. A fix took two weeks to develop and release.
Patching systems all over the world, on the other hand, could be a difficult task. While most organizations and cloud providers, such as Amazon, should be able to easily update their web servers, the same Apache software is frequently embedded in third-party programs, which are often only updated by their owners.
According to Yoran of Tenable, organizations must assume they have been compromised and act quickly.
The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game for kids owned by Microsoft. According to Meyers and security expert Marcus Hutchins, Minecraft users are already using it to execute programs on other users’ computers by pasting a short message in a chat box.
Microsoft announced a software update for Minecraft users. “Customers who apply the fix are protected,” the company stated.
Researchers discovered evidence that the vulnerability could be exploited in servers run by Apple, Amazon, Twitter, and Cloudflare.
Sullivan of Cloudflare stated that there was no evidence that his company’s servers had been compromised. Requests for comment from Apple, Amazon, and Twitter were not immediately returned.
