Late last week, cybersecurity firm LunaSec uncovered a critical vulnerability in the open-source Log4j library that could give hackers the ability to run malicious code on remote servers. Countless apps and services were said to be vulnerable by the exploit, known as Log4Shell, including iCloud, Minecraft, and countless others.
According to the Eclectic Light Company, Apple has patched the iCloud hole. The site reports that researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on December 9 and December 10, the same vulnerability no longer worked on December 11. The exploit doesn’t appear to have affected macOS.
The vulnerability was exploited in Minecraft before Microsoft patched it over the weekend. According to security researchers, a hacker merely had to do was paste a seemingly innocuous message into the chat box to compromise Minecraft’s servers. Similar methods of exploitation can be used to hack into any app running the free software. Check Point estimates that some 850,000 attacks were attempted within just 72 hours of the initial outbreak. It’s not clear if Apple’s iCloud was among the targeted systems.
It’s unclear how many apps are affected by the bug, but the use of log4j is extremely widespread. Crowdstrike’s Adam Meyers said the vulnerability has been “fully weaponized” and tools were readily available to exploit it. “The internet’s on fire right now,” he added shortly after the exploit was made public.
The Apache Software Foundation, which runs the project, rated it a 10 on its risk scale due to the ease of which it could be exploited and the widespread nature of the tool. The Log4j library is used around the web for logging, a universal practice among web developers. Apache has pushed out an update, but the ubiquitousness of the Java tool means many apps are still vulnerable. CEO of cybersecurity firm Tenable Amit Yoran called it “the single biggest, most critical vulnerability of the last decade.”
However, even if you use one of the affected apps, your Mac won’t be at risk. When exploited, the bug affects the server running Log4j, not the client computers, although it could theoretically be used to plant a malicious app that then affects connected machines. However, if you host your own server and run any sort of logging methods on your Mac, you should run the fix, as you might be at risk and not know it.
Update 12/14: Check Point reports that some 850,000 attacks have been waged since the Log4Shell exploit was publicized.