Why is the Log4j cybersecurity flaw the ‘most serious’ in decades?

A newly discovered cybersecurity flaw is affecting vast swaths the internet from Google and Amazon to the systems used to run militaries and hospitals, with US Homeland Security’s top cybersecurity official calling it the most serious vulnerability in decades. 

The flaw is present within a popular piece of software called Log4j, which is part of the ubiquitous programming language Java. Log4j is used by millions of websites and apps — and the software’s flaw potentially allows hackers to take control of systems by typing a simple line of code, according to cybersecurity experts. 

“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said Thursday on CNBC. 

Most hacking attempts using Log4j so far have involved attackers trying to install cryptocurrency “mining” software on victims’ computers. However, an Iranian hacking group called “Charming Kitten” has also tried to use the vulnerability to breach government agencies and businesses in Israel, according to the cybersecurity company Check Point. 

The Log4j flaw is more serious than other cybersecurity flaws because of its “ubiquity, simplicity and complexity,” according to Easterly.

“It is a piece of software, open source, that’s in millions of devices from video games to hospital equipment to industrial control systems to cloud services,” the cybersecurity official said.

“It is trivial to exploit,” she added. “And it takes a very focused effort to be able to find and to fix the vulnerability.” 

While there’s little that individual internet users can do to protect themselves, government agencies and tech companies alike are scrambling to fix the vulnerability. 

The Cybersecurity and Infrastructure Security Agency published an emergency directive on Friday urging all government agencies to immediately “patch” computer systems to address the Log4j flaw. 

Google, meanwhile, has more than 500 engineers combing through the company’s code to make sure it’s safe, the Washington Post reported. 

Asaf Ashkenazi, chief operating officer of security company Verimatrix, told the paper that coders across tech companies have been clocking excessive hours since the Log4j issue was first made public on Dec. 9. 

“Some of the people didn’t see sleep for a long time, or they sleep like three hours, four hours and wake back up,” Ashkenazi told the Washington Post. “We were working around-the-clock. It’s a nightmare since it was out. It’s still a nightmare.”

Even the Microsoft-owned online video game Minecraft has been affected. Some hackers were apparently able to breach victims by typing a single line of code into the game’s chat box, according to Wired. Microsoft says it has since fixed the issue and is urging players to update their Minecraft software.

On Monday, Belgium’s defense ministry was forced to shut down parts of its computer network after hackers triggered the Log4j vulnerability, the Wall Street Journal reported. The ministry did not provide details on the breach. 

Comments are closed.