Help power Marketplace this winter when you support the show today. Donate Now!

Companies are scrambling to fix a dangerous vulnerability in common software

Justin Ho Dec 23, 2021
Heard on:
HTML EMBED:
COPY
Vulnerabilities in the commonly used log4j software could put a lot of businesses at risk, but patching the vulnerabilities is rarely easy or quick. shironosov via Getty Images

Companies are scrambling to fix a dangerous vulnerability in common software

Justin Ho Dec 23, 2021
Heard on:
Vulnerabilities in the commonly used log4j software could put a lot of businesses at risk, but patching the vulnerabilities is rarely easy or quick. shironosov via Getty Images
HTML EMBED:
COPY

IT departments and cybersecurity specialists have been scrambling to deal with a dangerous vulnerability in a piece of software that’s very common — even though you’ve probably never heard of it. 

It’s called “log4j” and it’s a component in all kinds of programs and services, from video games to enterprise software and internet-connected devices. The race is on to find ways to prevent hackers from taking advantage of the vulnerability to steal sensitive information from both businesses and individuals.

Log4j is software that creates a log of what other software is doing.

So, for example, if an application crashes, a log can help someone identify the problem.

“Is it out of memory? Is the file too big? You know, what’s the problem with the code and why can’t it work correctly?” said Chester Wisniewski, a principal research scientist with the security company Sophos.

Hackers have figured out how to trick log4j into writing other things into its log — like, say, a virus, a worm or another piece of malicious code.

“It literally means somebody remotely can tell your computer to run their code without your permission,” Wisniewski said.

And we still don’t know the scale of the vulnerability, he added. The log4j software is free and open-source, so it could be in millions of programs.

“We know it’s in a lot of places, but we don’t know where it is, which is one of the major risks right now,” Wisniewski said.

That has a lot of businesses worried about their enterprise software, the programs they use to run their day-to-day operations.

“We all need to invoke our formal, severe, incident response measures,” said Jonathan Care, an analyst with the research and consulting company Gartner.

Care has been advising business clients on how to protect themselves and identify anything that might be exposed.

“Think about places you wouldn’t normally think about, like where you have remote workers. And, of course, we all have remote workers these days,” he said.

Care said this isn’t just an internal problem for businesses; they’re also exposed to the software their vendors and suppliers use.

In a lot of cases, software companies have been able to patch the vulnerability. But that’s not necessarily quick and simple, according to Jeff Pollard, an analyst at the research company Forrester.

“There’s a lot of things that go into patching. You have to test it, you have to verify it’ll work, you have to make sure it doesn’t break anything else. You have to get it distributed,” he said.

Attackers have already been figuring out ways to exploit the bug, he said. Even as patches are released, “this is one of those things that we’ll keep encountering a year or two down the road, where there will still be apps that are vulnerable to this, that maybe someone missed.”

In the meantime, security experts are saying it’s a good idea for all of us to update the software on all of our devices.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.