Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.

    Support MFO

  • Donate through PayPal

Tech giants Microsoft, Amazon and Others Warn of Widespread Software Flaw


WSJ Report by Robert McMillan

"Cybersecurity officials at major tech companies are scrambling to patch a serious flaw in a widely used piece of internet software that security experts warn could unleash a new round of cyberattacks.

The bug, hidden in an obscure piece of server software called Log4j, has prompted investigations into the depth of the problem within Amazon.com Inc., AMZN -1.12% Twitter Inc. TWTR -1.94% and Cisco Systems Inc., CSCO 2.95% according to the companies.

Amazon, the world’s biggest cloud computing company, said in a security alert, “We are actively monitoring this issue, and are working on addressing it.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on Friday issued an alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly on Saturday added, “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector.”"

ARTICLE

Comments

  • Thanks, that is a significant flaw. Amazon and Microsoft have significant presence in cloud-based backup storage services to both business and government.
  • edited December 2021
    What a surprise. (NOT.) Microsoft is buggy and deficient. Microsoft has pretty much always been buggy and deficient.
    For all of Oahu, the bus system and the handicap service, the HandiVan, is still not 100%, after a cyberattack last week. Service is running, but the fare-card readers still don't work. Criminal suck-holes. Find them. Execute them.
    https://www.kitv.com/news/crime/cyber-attack-shuts-down-servers-at-thehandi-van-thebus/article_5ed63970-5920-11ec-ab97-675ae372cdca.html
  • edited December 2021
    Apache Log4j is a widely used Java library leveraged by numerous applications and services.
    On Dec. 9, proof of concept for a remote code execution vulnerability in Apache Log4j was submitted.
    Attackers can download/execute malicious payloads and take full control of vulnerable systems by submitting specially crafted requests. Although there are fixes and work-arounds available, it will take time to identify and remediate these vulnerabilities.
    In the meantime, bad guys (and gals?) are hard at work searching for systems to exploit.
    This is a very serious situation...
  • So for those, like me, who don't understand a single word of that, what does it mean to the individual computer user? What should we avoid doing?
  • Simon said:

    So for those, like me, who don't understand a single word of that, what does it mean to the individual computer user? What should we avoid doing?

    Indeed. Thanks for asking. I sure don't know.
  • .....And once again, here on Oahu: new crap is happening: cyberattacks vs. Queen's Health System, the municipal Board of Water Supply and Honolulu EMS. These despicable motherlovers must be caught and made to SUFFER.
    https://www.kitv.com/news/crime/bws-ems-employees-warned-of-possible-identity-theft-after-hackers-target-payroll-vendor/article_a5caee94-5c76-11ec-bd0b-a3979031a6b6.html
  • edited December 2021
    Simon said:

    So for those, like me, who don't understand a single word of that, what does it mean to the individual computer user? What should we avoid doing?

    This vulnerability mostly impacts enterprises and will keep security teams busy for quite some time.
    If your hardware/applications don't use Apache Log4J versions 2.0 - 2.15.0 you are not at risk.
    The Netherland's National Cyber Security Centrum (NCSC) posted a comprehensive A-Z list of all products it is aware are either vulnerable, not vulnerable, or under investigation.
  • Howdy,

    They had a cyber security expert on CNBC and she said that this is going to be an ongoing problem and that it wasn't write a patch and fix it sort of thing. I do not know. I do know I just updated my chrome browser with a quick upgrade.

    rono
Sign In or Register to comment.