Last December 9, the news of a computer error newly discovered in a computer code called ‘log4j’ began to spread through the community of cybersecurity.
The next day, almost all the major Business from software were in “crisis mode“, trying to figure out it affected their products and how they could repair the trouble.
The reactions of the experts in security in front of this new vulnerability in an extremely common code section called log4j were not long in coming:
“The log4j vulnerability is the most serious I have seen in all my career years“, said Jen Easterly, director of the Infrastructure and Cybersecurity Security Agency from U.S, in an interview granted last Thursday to the American television channel CNBC.
What is log4j?
Log4j is a library of Open Source developed in Java by Apache Software Foundation that helps Applications software to perform a follow-up of your past activities. Instead of reinventing a component of “Registration”, every time developers create a new software, they often use existing code like log4j.
Since when log4j is asked to log something new, it tries make sense of to that new entry and add it to the registry. “This tool is widely used and appears in a large part of the Internet services.” Explains Asaf Ashkenazi, director of operations of the security company Verimatrix.
Why is it the biggest software vulnerability?
A few weeks ago, the cybersecurity community realized that just asking the program to register a line of malicious code, would run that code in the process, allowing cyber criminals to take control of servers which run this code.
The fact that log4j is such a commonly used piece of software is what makes this so important. Log4j is part of the Java programming language and it is one of the fundamental ways in which software has been written since the mid- ninety.
So much so that cloud storage companies like Google, Amazon and Microsoft, which provide the digital backbone for millions of other applications, have been affected.
So have other computer giants like IBM, Oracle and Salesforce, in addition to thousands of devices that connect to the Internet, such as televisions and security cameras.
Thanks to this very easily accessible vulnerability that they have been using since “day zero”, (in the Minecraft video game it is as easy as writing a line of malicious code in the public chat box during the game), hackers trying to break into digital spaces to steal information or plant malicious software, they have a new opportunity to try to get into almost any place they want. That doesn’t mean that everything will be hacked, but it is much easier to do.
The programmers, computer scientists and security experts have been working around the clock since the vulnerability was disclosed to correct it in whatever piece of software they are responsible for.
“More of 500 engineers have been going through lots and lots of code to make sure it’s secure,” said a Google employee. This process is being repeated in all kinds of technology companies.
“Some people haven’t slept in days, or they sleep like three or four hours and then wake up again,” Ashkenazi said, adding: “We worked twenty-four hours a day. It’s a nightmare since it came out. ”
Also, get a whole industry upgrade quickly a specific software is almost impossible. Many companies will not end up doing it or will think that they are not affected when in fact they are. That means log4j could be a serious problem that will last several years.
What can we users do?
To exploit the vulnerability, hackers must deliver malicious code to a service which runs log4j. The emails from identity fraud are one way of doing it. If you receive an email saying that your account has been engaged or that your package could not be delivered, do not open any links or attachments.
First, make sure you have an account with that company or are waiting for an email from that supplier company. And if that’s the case, look for a number from Customer Support and communicate that way.
“The best thing regular computer users can do is make sure that their computers applications are updated to their newer versions,” Malik said. According to experts the developers will send patches in the next few days to fix any log4j issues and it will be important to download them quickly.
Rachel Maga is a technology journalist currently working at Globe Live Media agency. She has been in the Technology Journalism field for over 5 years now. Her life’s biggest milestone is the inside tour of Tesla Industries, which was gifted to her by the legend Elon Musk himself.