Apple has patched the “Log4Shell” iCloud vulnerability after it was revealed last week that a dangerous security flaw in the open source tool log4j put millions of apps at risk.
Cybersecurity experts called the vulnerability “the most critical vulnerability in a decade.” As a reminder, Log4j is an open source logging tool that is widely used by both websites and apps. One of the discovered Vulnerability could be exploited in literally millions of applications.
A new exploit called "Log4Shell" is causing headaches for security teams at major technology companies. If the vulnerability is exploited, hackers can execute malicious code on vulnerable servers. This also affects services such as Apple's iCloud.
The widespread use of Log4j makes it particularly easy for attackers to use the Log4Shell exploit.
To exploit the vulnerability, an attacker must trick the application into storing a specific string in the log. Because applications routinely log a variety of events - such as messages sent and received by users or the details of system errors - the vulnerability is unusually easy to exploit and can be triggered in a variety of ways.
"Log4Shell": Apple closes iCloud security gap
Apple's iCloud was one of the services vulnerable to the vulnerability. Now reported Macworld that Apple, Microsoft and other service providers acted quickly.
As reported by the Eclectic Light Company, Apple has patched the iCloud vulnerability. The website reports that researchers were able to demonstrate the vulnerability when connecting to iCloud via the web on December 9 and 10. On December 11, the same vulnerability stopped working. macOS does not appear to be affected by the vulnerability. The vulnerability was exploited in Minecraft before Microsoft patched it over the weekend.
Adam Meyers of Crowdstrike said the vulnerability was "fully weaponized" and that tools to exploit the vulnerability were readily available, adding:
The internet is currently on fire.
The Apache Software Foundation, which runs the project, rated the vulnerability at 10 on its risk scale because it is so easy to exploit and the tool is so widely used. Whatever. Apache has now released version 2.16.0 of Log4j. This means that the vulnerability has now been completely fixed. However, given the large number of websites and services that use the library, it may take some time until the security hole is closed worldwide. Nevertheless, iCloud is at least safe again. (Photo by JuanRoballo / Bigstockphoto)
