Tech giants Microsoft, Amazon and Others Warn of Widespread Software Flaw

Mark

WSJ Report by Robert McMillan

"Cybersecurity officials at major tech companies are scrambling to patch a serious flaw in a widely used piece of internet software that security experts warn could unleash a new round of cyberattacks.

The bug, hidden in an obscure piece of server software called Log4j, has prompted investigations into the depth of the problem within Amazon.com Inc., AMZN -1.12% Twitter Inc. TWTR -1.94% and Cisco Systems Inc., CSCO 2.95% according to the companies.

Amazon, the world’s biggest cloud computing company, said in a security alert, “We are actively monitoring this issue, and are working on addressing it.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on Friday issued an alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly on Saturday added, “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector.”"

ARTICLE

Sven

Thanks, that is a significant flaw. Amazon and Microsoft have significant presence in cloud-based backup storage services to both business and government.

Crash

What a surprise. (NOT.) Microsoft is buggy and deficient. Microsoft has pretty much always been buggy and deficient.
For all of Oahu, the bus system and the handicap service, the HandiVan, is still not 100%, after a cyberattack last week. Service is running, but the fare-card readers still don't work. Criminal suck-holes. Find them. Execute them.
https://www.kitv.com/news/crime/cyber-attack-shuts-down-servers-at-thehandi-van-thebus/article_5ed63970-5920-11ec-ab97-675ae372cdca.html

Observant1

Apache Log4j is a widely used Java library leveraged by numerous applications and services.
On Dec. 9, proof of concept for a remote code execution vulnerability in Apache Log4j was submitted.
Attackers can download/execute malicious payloads and take full control of vulnerable systems by submitting specially crafted requests. Although there are fixes and work-arounds available, it will take time to identify and remediate these vulnerabilities.
In the meantime, bad guys (and gals?) are hard at work searching for systems to exploit.
This is a very serious situation...

Simon

So for those, like me, who don't understand a single word of that, what does it mean to the individual computer user? What should we avoid doing?

Ben

Simon said:

So for those, like me, who don't understand a single word of that, what does it mean to the individual computer user? What should we avoid doing?

Indeed. Thanks for asking. I sure don't know.

Crash

.....And once again, here on Oahu: new crap is happening: cyberattacks vs. Queen's Health System, the municipal Board of Water Supply and Honolulu EMS. These despicable motherlovers must be caught and made to SUFFER.
https://www.kitv.com/news/crime/bws-ems-employees-warned-of-possible-identity-theft-after-hackers-target-payroll-vendor/article_a5caee94-5c76-11ec-bd0b-a3979031a6b6.html

Observant1

Simon said:

So for those, like me, who don't understand a single word of that, what does it mean to the individual computer user? What should we avoid doing?

This vulnerability mostly impacts enterprises and will keep security teams busy for quite some time.
If your hardware/applications don't use Apache Log4J versions 2.0 - 2.15.0 you are not at risk.
The Netherland's National Cyber Security Centrum (NCSC) posted a comprehensive A-Z list of all products it is aware are either vulnerable, not vulnerable, or under investigation.

rono

Howdy,

They had a cyber security expert on CNBC and she said that this is going to be an ongoing problem and that it wasn't write a patch and fix it sort of thing. I do not know. I do know I just updated my chrome browser with a quick upgrade.

rono