Computer security experts scramble to fix ‘vulnerability of the decade’

WASHINGTON — Criminals, cyber spies, and hackers around the world are launching thousands of attempts every hour to exploit a flaw in a widely used logging software as cybersecurity experts are scrambling to close the loophole and prevent catastrophic attacks.

In early December, a security researcher at Chinese online retailer Alibaba discovered and reported the software flaw in a widely used tool called log4j. The open-source tool is a Java-based library developed by Apache that software developers use to track activity within an application.

Every time anyone on the internet connects to a site, a cloud-service provider, or others, the company managing the site or the service captures data about the activity and stores it in a log. Hackers are now attempting to break into such logs and launch attacks.

“We have kind of what I call a threefold problem here,” said Steve Povolny, principal engineer and head of advanced threat research at McAfee Enterprise. “The simplicity of the attack, the ubiquity of vulnerable installed base, and the wide availability of exploit code really combine to make this … maybe the vulnerability of the decade.”

Although Apache has offered a patch to fix the flaw, companies and government agencies use many versions of the log4j tool and are trying to figure out which fix works with what version, Povolny said. But as of late last week, security researchers have identified that a fix known as version 2.16 “effectively solves the problem,” he said.

Nevertheless, as companies and government agencies around the world attempt to fix the problem there’s “no question that this has been and is going to continue to be further weaponized,” Povolny said.

The widespread vulnerability marks a bookend to a year notable for significant cyber and ransomware attacks. At the start of 2021 the world began to grapple with the consequences of a sophisticated Russian attack on SolarWinds, a software management company, which was discovered in December 2019. The attack exposed dozens of U.S. agencies and thousands of companies to potential exploitation by Russian intelligence services.

In the months since, ransomware attacks crippled pipeline operator Colonial Pipeline and…