Checklist 259: Log4j and the Biggest Bug in the World
This week on The Checklist:
A big story about a big bug
Log4j is the most serious vulnerability that anyone has seen in quite a while. Security experts say that it could cause “incalculable damage” and “haunt the Internet for years”.
It’s a huge story, but we’re going to do our best to break it down for you one step at a time.
First, a very basic question: What is Log4j? The quick answer is that it is a popular piece of open-source software that creates log files for Java programs. A log file is just a record of everything that a program has done. It’s the kind of data that is useful to a programmer who wants to debug an app or understand how users are interacting with it.
OK, so what’s wrong with Log4j? Well, as a Popular Science piece explains:
When information is passed to log4j, it commonly has to go through the website on which log4j is performing those logging operations. However—and here’s where this serious bug comes into play—if someone sends the library a command in the form of a special string of characters tucked within that data, instead of just logging that information, log4j will execute it as though it is code in a program.
Needless to say, that’s bad. As in, very bad. The exploit for the Log4j vulnerability — dubbed “Log4Shell” — can be used to inject malicious code or even completely take over a vulnerable website.
How widespread is Log4j?
Log4Shell can only be used to attack websites that are running Log4j. The problem is: That’s a ton of websites.
Log4j is tremendously popular in both open-source and enterprise software. The list of companies that use it includes IBM, Oracle, AWS, Microsoft, and Apple.
To make matters worse, figuring out which websites are vulnerable is relatively simple. The bad guys can just build an automated tool that scans all of the websites on the Internet and determines which ones can be attacked with Log4Shell.
And it looks like the attacks are already underway. One cybersecurity company says that it has discovered malicious cryptomining operations that are attempting to exploit Log4j. In Switzerland, investigators have found evidence of Log4j being used in botnet DDoS attacks. Security researchers at CheckPoint, meanwhile, report that they have observed “attempted exploits of the Log4j vulnerability … on more than 44% of corporate networks worldwide”.
What can you do about Log4j?
For the most part, Log4j will have to be handled by software developers and enterprise security teams.
For average users, the most important thing to do is to update all of your devices and software just as soon as updates become available. This may be a good time to turn on automatic app updates if you haven’t done so already. And don’t forget to update your IoT devices too: all of those “smart things” that you have in your house. If you find that you can’t apply an update because a device is no longer supported, consider taking it off your network or even getting rid of it altogether.
In addition, keep close watch over your accounts for signs of unusual activity. Pay special attention to sensitive websites that would be more likely to be targeted by bad actors (for example, banking or financial sites).
Apple updates everything (and more)
After that rather scary Log4j story, you’re probably in the mood for some positive security news! Well, you’re in luck: We have quite a bit of it this week. Apple just updated everything, and even improved security on a non-Apple platform. Here’s what you need to know:
iOS 15.2 and iPadOS 15.2
Apple patched 38 bugs in this round of updates. It also brought some long-awaited features online as well. App Privacy Report is now live in Settings. It lets you see what permissions have been requested by the apps on your device — and what they’re doing on your network. Apple also rolled out its Digital Legacy feature in iOS (we’ll cover this one in more detail on a future show).
On hold for now: the controversial iOS CSAM-scanning feature, discussed in full on Checklist 242: Expanded Protections and Pushback. It’s not part of the iOS 15.2 update, and Apple has removed mention of the proposed child safety measure from its website. However, this doesn’t mean that the company is abandoning its plans altogether. According to a MacRumors piece, Apple officials say that the plan to implement on-device scanning is expected to move forward.
Updates for Mac users
If you’re on macOS Monterey, you can now update to version 12.1. The update includes a number of new features and tweaks, along with 42 security updates.
Users of older versions of macOS received updates as well: These were released as macOS Big Sur 11.6.2 and Security Update 2021-008 Catalina. The bug fix tally was 31 for Big Sur and 28 for Catalina.
You know the drill. If you haven’t updated your Mac yet, we’d recommend doing so right away.
Watches, TVs, and … robots?
Apple has also released updates for watchOS (watchOS 8.3) and for tvOS (tvOS 15.2).
The update for Apple Watch fixes 25 vulnerabilities. tvOS 15.2, for its part, addresses 22 different security issues. If you’ve got ‘em, patch ‘em.
Last but not least: Apple has introduced some help for Android users concerned about being stalked via AirTag.
iPhone users, of course, have had access to tracking alerts for some time now. But until this week, if your phone ran on Android, you were pretty much out of luck. The best Apple could for you do was suggest that you to listen for a beeping AirTag!
That has changed: Android users can now download the “Tracker Detect” app from the Google Play Store. It’s designed to help non-iPhone users detect when someone is tracking them with an AirTag or other Find My device. If you know someone who uses Android, you might want to tell them about the app.
If you’d like to ask a security or privacy question, please write to us. For a look at past shows, visit The Checklist archives.