Log4j, Should You Be Worried?

Icon of a padlock representing cyber security

What is happening

On Dec. 9, word of a newly discovered computer bug in a hugely popular piece of computer code started rippling around the cybersecurity community. By the next day, nearly every major software company was in crisis mode, trying to figure out how their products were affected and how they could patch the hole.

The descriptions used by security experts to detail the new vulnerability, in an extremely common section of code called log4j, border on the apocalyptic.

The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career

Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director

What is Log4j

Log4j is a chunk of code that helps software applications keep track of their past activities. Instead of reinventing a “logging” — or record-keeping — component each time developers build new software, they often use existing code like log4j instead. It’s free on the Internet and very widely used, appearing in a “big chunk” of Internet services.

Each time log4j is asked to log something new, it tries to make sense of that new entry and add it to the record. A few weeks ago, the cybersecurity community realized that by simply asking the program to log a line of malicious code, it would execute that code in the process, effectively letting bad actors grab control of servers that are running log4j.

Reports differ when it comes to who first raised the alarm about the vulnerability. Some people say it surfaced in a forum dedicated to the video game Minecraft. Others point to a security researcher at Chinese tech company Alibaba. But experts say it’s the biggest software vulnerability of all time in terms of the number of services, sites and devices exposed.

Should I be worried

The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.

Log4j is part of the Java programming language, which is one of the foundational ways software has been written since the mid-90s. Huge swaths of the computer code that modern life runs on use Java and contain log4j. Cloud storage companies such as Google, Amazon and Microsoft, which provide the digital backbone for millions of other apps, are affected. So are giant software sellers whose programs are used by millions, such as IBM, Oracle and Salesforce. Devices that connect to the Internet such as TVs and security cameras are at risk as well. Hackers who try to break into digital spaces to steal information or plant malicious software suddenly have a massive new opportunity to try to get into nearly anywhere they want. That doesn’t mean everything will be hacked, but it just got a lot easier to do so — just as if the locks on half of the homes and businesses in a city suddenly stopped working all at once.

On top of all that, the vulnerability is straightforward to take advantage of. In the Minecraft video game, it’s as easy as typing a line of malicious code into the public chat box during a game. On Twitter, some people changed their display names to strings of bad code.

The vulnerability also gives hackers access to the heart of whatever system they’re trying to get into, cutting past all the typical defenses software companies throw up to block attacks. Overall, it’s a cybersecurity expert’s nightmare but whether or not you should be worried depends on your internet practices. If you're careful, safe, and regularly update your applications/anti-virus then you should be ok.

What can I do

Encouraging readers to be smart online on phones, tablets, and computers

To take advantage of the vulnerability, hackers have to deliver malicious code to a service running log4j. Phishing emails — those messages that try to trick you into clicking a link or opening an attachment — are one way to do so. Keep an eye out for an influx of phishing messages in the coming days as hackers scramble to plant bad code in as many places as possible.

If you get an email saying that your account has been compromised or your package failed to deliver, don’t open any links or attachments. First, make sure you actually have an account with that company or were expecting mail from that carrier. Then, find a real customer service number or address online and reach out that way.

Wrap up

The best thing regular computer users can do is make sure the apps they use are updated to their most recent versions. Developers will be sending out patches over the coming days to fix any log4j issues, and downloading those quickly will be important.

Sit back, take a deep breath. It’s not the end of the world, it’s going to be very busy the next few days for security folks.

For the most part, consumers should just wait and let the experts fix their software programs.

Need help with your Puget Systems PC?

If something is wrong with your Puget Systems PC. We are readily accessible, and our support team comes from a wide range of technological backgrounds to better assist you!

Contact Puget Systems Support

Looking for more support guides?

If you are looking for a solution to a problem you are having with your PC, we also have a number of other support guides that may be able to assist you with other issues.

Puget Systems Online Help Guides