programming novices alike easy access to
internal networks where they can loot valuable
data, plant malware, erase crucial information and
much more.
“I’d be hard-pressed to think of a company that’s
not at risk,” said Joe Sullivan, chief security officer
for Cloudflare, whose online infrastructure
protects websites from malicious actors.
Untold millions of servers have it installed, and
experts said the fallout would not be known for
several days.
Amit Yoran, CEO of the cybersecurity firm
Tenable, called it “the single biggest, most critical
vulnerability of the last decade” — and possibly
the biggest in the history of modern computing.
The vulnerability, dubbed ‘Log4Shell,’ was rated
10 on a scale of one to 10 the Apache Software
Foundation, which oversees development of the
software. Anyone with the exploit can obtain
full access to an unpatched computer that uses
the software,
Experts said the extreme ease with which the
vulnerability lets an attacker access a web server
— no password required — is what makes it
so dangerous.
New Zealand’s computer emergency response
team was among the first to report that the
flaw was being “actively exploited in the wild”
just hours after it was publicly reported and a
patch released.
The vulnerability, located in open-source Apache
software used to run websites and other web
services, was reported to the foundation on Nov.
24 by the Chinese tech giant Alibaba, it said. It
took two weeks to develop and release a fix.