Computer security experts around the world are trying to fix one of the worst software weaknesses found in years.

The vulnerability is in an open-source program widely used by government and industry. It has become a major threat to organizations around the world.

“The internet’s on fire right now," said Adam Meyers. He is the vice president at the cybersecurity company Crowdstrike.

The problem is found in an open-source Apache utility called log4j. It is used to run websites and other web services. The vulnerability is known as “Log4Shell.”

The software problem's severity was rated 10 on a scale from one to 10 by the Apache Software Foundation, which oversees development of the software.

The vulnerability was reported on November 24 by the Chinese technology company Alibaba. It took two weeks to develop a patch.

Last week, Meyers said that within 12 hours of discovering the problem it had been "fully weaponized.” He said criminals have already developed and distributed tools to exploit it.

Experts say the bug, another word for a software problem, may be the worst computer weakness discovered in years. The Apache software is used in almost all cloud computing servers, across industry and government.

Unless it is fixed, the bug gives criminals the ability to easily access internal networks. There, they could steal important data, put malware in place, and do much more damage.

Joe Sullivan is the head of security for Cloudflare, a company that protects websites from security threats.

“I’d be hard-pressed to think of a company that’s not at risk,” he said. Millions of servers have the software, and experts said the impact would not be known for several days.

Amit Yoran is the head the cybersecurity company Tenable. He called it “the single biggest, most critical vulnerability of the last decade,” and maybe the history of modern computing.

Experts said the vulnerability makes it easy for an attacker to access a web server, and makes it very dangerous. There is no password required to access a server.

Patching the bug could be a difficult job. Most organizations and cloud providers like Amazon should be able to update their web servers easily. But the same Apache software is also used by many third-party programs, which often can only be updated by their owners.

Yoran, of Tenable, said organizations need to act as if they have been affected and fix the problem.

The first clear signs of the bug's exploitation appeared in Minecraft, an online game popular with children. Attackers were able to take over one of the world-building game’s servers before Microsoft, which owns Minecraft, patched the problem.

Microsoft said it had completed a software update for Minecraft users. “Customers who apply the fix are protected,” the company said.

Researchers say the vulnerability could also be exploited in servers run by companies like Apple, Amazon, Twitter and Cloudflare.

Words in This Story

vulnerability — n. something open to attack, harm, or damage​

utility — n. a computer program that does a specific task​

patch — n. a program that corrects or updates an existing program​

exploit — v. to use in a way that helps you unfairly​

malware — n. a computer program that is designed to damage or break into a computer​