p>"It will take years to address this while attackers will be watching... on a daily basis [to attack it]," said David Kennedy CEO of cybersecurity firm TrustedSec. "This is a huge security risk for businesses."
/p>
p>Here are some of the things you need to be aware of:
/p>
p>What is Log4j? And why is it important?
/p>
p>According to security experts, Log4j is among the most widely used online log libraries. Log4j gives software developers a way to build a record of activity to be used for a variety of purposes for auditing, troubleshooting, and data tracking. Because it is both open-source and free the library is essentially a part of every part of the internet.
/p>
p>"It's ubiquitous. Even if you do not use Log4j directly as developer, you may still be running vulnerable code because the open source library you use relies on Log4j," Chris Eng of cybersecurity firm Veracode said to CNN Business. "This is the nature of software that is a turtle all the way down."
/p>
p>The software is used by corporations such as Apple, IBM and Oracle, Cisco, Google, Amazon and Cisco. It could present in popular apps and websites and millions of devices around the world that access these services could be susceptible to the vulnerability.
/p>
p>Are hackers exploiting it?
/p>
p>According to cybersecurity firm Cloudflare the attackers seem to have had more time than one week to exploit the software flaw before it was revealed. With the number of hacking attempts happening every day, some worry that the most severe attack is yet to come.
/p>
p>"Sophisticated threat agents will figure out a way to really weaponize vulnerability to get maximum gain," Mark Ostrowski (Check Point's head engineer) stated on Tuesday.
/p>
p>Late Tuesday, Microsoft said in an update to a blog post that state-backed hackers from China, Iran, North Korea and Turkey have attempted to exploit the Log4j flaw.
/p>
p>What makes this security flaw so dangerous?
/p>
p>Experts are particularly concerned about the vulnerability as hackers could gain access to a company’s computer server, granting them access to other components of an organization's network. Kennedy says it's hard to identify the vulnerability and determine if a system is already compromised.
/p>
p>Another vulnerability was discovered in Log4j's software late Tuesday. The Apache Software Foundation, a non-profit that developed Log4j, and other open-source software has released security patches for businesses. https://penzu.com/p/2e68a095 </p>
p>How are companies are trying to tackle the issue?
/p>
p>This week, Minecraft published a blog post that announced a flaw was discovered in a version of its game. https://pastelink.net/h9wtjaxt It promptly issued an update. Similar steps have been implemented by other companies.
/p>
p>US warns hundreds of millions of devices that are at the risk of a new software vulnerability
/p>
p>IBM, Oracle, AWS and Cloudflare have all issued advisories to customers, and some have even pushed security updates or outlining their plans for possible patches.
/p>
p>"This is a serious vulnerability, but it's not something you can press a button to patch it like a traditional major vulnerability. Kennedy stated that it will require a lot of work and time.
/p>
p>For transparency and to help cut down on confusion, CISA said it would create a website for the public that will provide updates on which software products were affected by the vulnerability and how hackers took advantage of them.
/p>
p>What can you do to ensure your security?
/p>
p>Companies are under immense pressure to act. At present, it is recommended to be sure to update their devices, software and applications when companies issue prompts in the coming weeks and days.
/p>
p>What's next?
/p>
p>The US government has issued a caution to affected businesses to be on guard over the holidays for cyberattacks and ransomware.
/p>
p>There is concern that malicious actors could exploit the vulnerability in innovative ways. While large technology companies might have security teams in place to tackle these potential threats However, many other organizations do not.
/p>
p>"What I'm most concerned about is the schools, the hospitals those places where there's just one IT person who does security who doesn't have time or the budget for security or the tooling," said Katie Nickels, Director of Intelligence at cybersecurity company Red Canary. https://nickelvalue39.edublogs.org/2022/09/15/minecraft-earth-beta-is-available-on-android-in-five-cities/ "Those are the organizations I'm most concerned aboutsmall-sized organizations with tiny security budgets."
/p>
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
