Search
Search titles only
By:
Search titles only
By:
Menu
Forums
New posts
Search forums
Home
What's new
New posts
Latest activity
Log in
Register
Search
Search titles only
By:
Search titles only
By:
Menu
Install the app
Install
Reply to thread
Home
Computers & Internet
Mobile Computing
Apple iCloud, Twitter and Minecraft vulnerable to ‘ubiquitous’ zero-day exploit
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Message
<blockquote data-quote="Carly Page" data-source="post: 3568"><p>A number of popular services, including Apple <a href="https://techcrunch.com/tag/icloud/" target="_blank">iCloud</a>, Twitter, Cloudflare, <a href="https://techcrunch.com/tag/minecraft/" target="_blank">Minecraft</a> and Steam, are reportedly vulnerable to a zero-day exploit affecting a popular Java logging library.</p><p></p><p>The vulnerability, dubbed “Log4Shell” by researchers at LunaSec and credited to Chen Zhaojun of <a href="https://techcrunch.com/tag/alibaba/" target="_blank">Alibaba</a>, has been found in Apache Log4j, an <a href="https://techcrunch.com/tag/open-source/" target="_blank">open source</a> logging utility that’s used in a huge number of apps, websites and services. Log4Shell was first discovered in Microsoft-owned Minecraft, though LunaSec warns that “many, many services” are vulnerable to this exploit due to Log4j’s “ubiquitous” presence in almost all major Java-based enterprise apps and servers. In a <a href="https://www.lunasec.io/docs/blog/log4j-zero-day/" target="_blank">blog post</a>, the cybersecurity company warned that anybody using Apache Struts is “likely vulnerable.”</p><p></p><p>Companies with servers <a href="https://github.com/YfryTchsGD/Log4jAttackSurface" target="_blank">confirmed</a> to be vulnerable to Log4Shell attack so far include Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent and Elastic, though there are likely hundreds if not thousands of other organizations affected. None of the companies affected by the flaw have yet responded to our request for comment.</p><p></p><p></p><p>Robert Joyce, the director of Cybersecurity at the NSA, <a href="https://twitter.com/NSA_CSDirector/status/1469305071116636167" target="_blank">confirmed that GHIDRA,</a> a free and open source reverse engineering tool developed by the agency, is also affected: “The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA,” he said.</p><p></p><p>The <a href="https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/" target="_blank">Computer Emergency Response Team</a> (CERT) for New Zealand, <a href="https://twitter.com/DTCERT/status/1469258597930614787" target="_blank">Deutsche Telekom’s CERT</a>, and the <a href="https://twitter.com/_mattata/status/1469144854672379905" target="_blank">Greynoise</a> web monitoring service have all warned that attackers are actively looking for servers vulnerable to Log4Shell attacks. According to the latter, According to the latter, around 100 distinct hosts <a href="https://twitter.com/GreyNoiseIO/status/1469326260803416073" target="_blank">are scanning</a> the internet for ways to exploit Log4j vulnerability. </p><p></p><p>Kayla Underkoffler, a senior security technologist at HackerOne, tells TechCrunch that this zero-day highlights the “threat that open source software presents as a growing portion of the world’s critical supply chain attack surfaces.”</p><p></p><p>“Open source software is behind nearly all modern digital infrastructure, with the average application using 528 different open source components,” Underkoffler said. “The majority of high-risk open source vulnerabilities discovered in 2020 have also existed in code for more than two years and most organizations lack direct control over open source software within supply chains to easily fix these weaknesses. Securing this often poorly funded software is imperative for any organization that relies on it.”</p><p></p><p></p><p>The Apache Software Foundation has released an emergency security update today to patch the zero-day vulnerability in Log4j, along with mitigation steps for those unable to update immediately. Game developer Mojang Studios has also released an emergency Minecraft security update to address the bug.</p></blockquote><p></p>
[QUOTE="Carly Page, post: 3568"] A number of popular services, including Apple [URL='https://techcrunch.com/tag/icloud/']iCloud[/URL], Twitter, Cloudflare, [URL='https://techcrunch.com/tag/minecraft/']Minecraft[/URL] and Steam, are reportedly vulnerable to a zero-day exploit affecting a popular Java logging library. The vulnerability, dubbed “Log4Shell” by researchers at LunaSec and credited to Chen Zhaojun of [URL='https://techcrunch.com/tag/alibaba/']Alibaba[/URL], has been found in Apache Log4j, an [URL='https://techcrunch.com/tag/open-source/']open source[/URL] logging utility that’s used in a huge number of apps, websites and services. Log4Shell was first discovered in Microsoft-owned Minecraft, though LunaSec warns that “many, many services” are vulnerable to this exploit due to Log4j’s “ubiquitous” presence in almost all major Java-based enterprise apps and servers. In a [URL='https://www.lunasec.io/docs/blog/log4j-zero-day/']blog post[/URL], the cybersecurity company warned that anybody using Apache Struts is “likely vulnerable.” Companies with servers [URL='https://github.com/YfryTchsGD/Log4jAttackSurface']confirmed[/URL] to be vulnerable to Log4Shell attack so far include Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent and Elastic, though there are likely hundreds if not thousands of other organizations affected. None of the companies affected by the flaw have yet responded to our request for comment. Robert Joyce, the director of Cybersecurity at the NSA, [URL='https://twitter.com/NSA_CSDirector/status/1469305071116636167']confirmed that GHIDRA,[/URL] a free and open source reverse engineering tool developed by the agency, is also affected: “The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA,” he said. The [URL='https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/']Computer Emergency Response Team[/URL] (CERT) for New Zealand, [URL='https://twitter.com/DTCERT/status/1469258597930614787']Deutsche Telekom’s CERT[/URL], and the [URL='https://twitter.com/_mattata/status/1469144854672379905']Greynoise[/URL] web monitoring service have all warned that attackers are actively looking for servers vulnerable to Log4Shell attacks. According to the latter, According to the latter, around 100 distinct hosts [URL='https://twitter.com/GreyNoiseIO/status/1469326260803416073']are scanning[/URL] the internet for ways to exploit Log4j vulnerability. Kayla Underkoffler, a senior security technologist at HackerOne, tells TechCrunch that this zero-day highlights the “threat that open source software presents as a growing portion of the world’s critical supply chain attack surfaces.” “Open source software is behind nearly all modern digital infrastructure, with the average application using 528 different open source components,” Underkoffler said. “The majority of high-risk open source vulnerabilities discovered in 2020 have also existed in code for more than two years and most organizations lack direct control over open source software within supply chains to easily fix these weaknesses. Securing this often poorly funded software is imperative for any organization that relies on it.” The Apache Software Foundation has released an emergency security update today to patch the zero-day vulnerability in Log4j, along with mitigation steps for those unable to update immediately. Game developer Mojang Studios has also released an emergency Minecraft security update to address the bug. [/QUOTE]
Insert quotes…
Verification
Post reply
Home
Computers & Internet
Mobile Computing
Apple iCloud, Twitter and Minecraft vulnerable to ‘ubiquitous’ zero-day exploit
Top
Bottom
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…