Certain types of software are ubiquitous. Microsoft Windows is found on millions of computers worldwide, while Google Chrome is the preferred default search engine for many people. The Java programming language is another such digital tool that has been widely used in everything from mobile software to web-based applications and even middleware that many businesses rely on. Unfortunately, this very ubiquity with software can work against itself in some cases, and cyber security is one of them. A major vulnerability has been discovered in the Log4J logging utility, a favorite of Java developers.
What Is Log4J?
The Log4J utility is one of the most popular developer tools in the Java software world. It is a Java-based, open-source logging utility. It can be programmed to track and report “events,” such as errors so that developers can monitor and eventually address flaws in software. Because of its ease and usefulness, the Log4J utility has been embedded in a huge range of different software, especially for the hundreds of millions of mobile devices in which this embedded software is present.
Unfortunately, a vulnerability has been found in the Log4J utility and because Log4J is so ubiquitous, this has created a severe cybersecurity threat.
Significant Loss Of Control In Cyber Security
The Log4Shell vulnerability has been given a common vulnerability score of 10, which is the most severe designation in terms of threat. Specific examples of exploitation with this cyber security vulnerability include DDOS attacks, remote seizure, control and execution of applications, auctioning access to corporate networks to the highest criminal bidder, and even partitioning of digital resources in a network for the mining of cryptocurrency.
Why It Happens
The Log4Shell vulnerability is the latest example of the struggle between cost and safety. The most cost-efficient approach in software is to use existing resources, sometimes even older ones, rather than internally creating a unique, bespoke solution. However, while this lowers costs, older applications and processes also tend to be more vulnerable compared to the newest application or tool, which, while more expensive, is also far more resistant. Every company wrestles with how much is too much to spend on security.
Now companies are scrambling to identify, address and patch this vulnerability, but it showcases the ongoing need to maintain modernized security measures. New software, new upgrades, and new user control systems such as passwordless identity and authentication reduce the chance of a critical vulnerability being found and exploited because modern passkeys offer phishing resistant, user-centric security.
If you’re interested in using the FIDO protocol and moving to a passwordless identity and authentication system, read here to learn more.