Government officials said the flaw is already being “widely exploited” by nefarious bad actors, meaning there’s a good chance anyone reading this is at risk. Here’s what you need to know.
A newly discovered security flaw in widely used computer code has put users, devices and software all over the world at “severe risk” of being exploited, according to the U.S. government.
The problem is what experts are calling a “vulnerability,” or in other words a kind of programming door that would let hackers into a computer system. According to a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the vulnerability is part of the “log4j software library” and is already “being widely exploited by a growing set of threat actors.” The statement goes on to describe the problem as “urgent.”
“To be clear, this vulnerability poses a severe risk,” the statement adds.
The software that includes the security flaw is widespread, meaning there’s a good chance anyone reading this is at risk. So here’s what you need to know:
What is Log4j?
Log4j is a piece of software that records what a device is doing. Andrew Morris, founder and CEO of cyber-intelligence firm GreyNoise, told NPR that the software is like “a modular component that’s used in many, many different kinds of software.” In other words, it’s computer code that programmers all over the world include in their software, and it has ended up in a vast number of places.
Morris also reportedly said that the flaw is “really not that complicated,” meaning it’s fairly easy for hackers to exploit. According to CNET, hackers can use the flaw to take over servers, preventing their true owners from using them.
Hackers have used the flaw to mine for cryptocurrency on other people’s devices and steal data, among other things, Wired reported.
Who is at risk?
The short answer here is basically everyone.
Computer security firm Rumble has compiled a list of products and services that include the Log4j flaw, and the list is extensive. It includes names such as Cisco, Dell, Github, IBM and scores of others.
Google Cloud, Amazon Web Services and other big names have also indicated their software may have been compromised.
Additionally, NPR reported that the vulnerability is present in nearly everything that uses the Java coding language. Theoretically, this puts the number of potentially at-risk technology users in the millions, or even billions.
On Monday, cybersecurity company Check Point revealed in a report that it had detected 800,000 attacks over the prior 72 hours. The company’s findings also suggested the rate of attack was rising.
It’s unclear at this point how many dedicated real estate technology companies’ products may be at risk, but given the ubiquity of the flaw presumably it is a large number of them. Inman will update this post as real estate technology companies provide additional guidance.
Where did Log4j come from?
The flaw was built into the code, but it first began gaining widespread attention after an attack on the computer game Minecraft. On Friday, the game’s staff posted a note about the issue revealing that “this vulnerability poses a potential risk of your computer being compromised.” According to CNET, Minecraft posted the note after attackers managed to take over one of the game’s servers. Microsoft, which owns the game, eventually patched the vulnerability.
According to NPR, a researcher working for Chinese retail giant Alibaba also independently discovered the vulnerability.
Since these discoveries, awareness about Log4j has spread widely across the internet.
What happens now?
The CISA’s statement notes that in light of the danger, “end users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.” In other words, its up to software providers to fix the flaw in their products.
The statement also urges vendors to communicate “with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”
In practice, this means software providers are essentially in “a race with the hackers,” David “Moose” Wolpoff, chief technology officer at cybersecurity firm Randori, told NPR. Wolpoff added that IT professionals have been working nonstop to plug up the flaw, and said “the internet’s on fire.”
All of this means that everyday users should be in touch with their software vendors and should make sure they have the latest updates. Indeed, companies such as Google have encouraged users to respond by making sure they have the latest software updates on their devices.
That said, the issue will take time to resolve. Check Point ultimately concluded in its report that this is one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable.”
And Chris Frohoff, a security researcher, told Wired that “what is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings.”