A new vulnerability called Log4j has security teams scrambling worldwide. Here's what you need to do - and what you don't need to do - about it.
There’s been a lot of talk over the weekend about a new vulnerability called “Log4j” and how it affects major cloud services like Steam, Apple iCloud, and apps like Minecraft. It’s serious enough that the US Cybersecurity and Infrastructure Agency (CISA) issued a statement on it on Friday December 11, 2021.
This is a major vulnerability that has sent teams around the world scrambling. Given that, many people may understandably be wondering “Am I affected?” and “What do I need to do to protect myself from this?”.
The short answer is that, if you're an average internet user, there's nothing you need to do. Unless you work directly with an “Apache server” or “Java” (the programming language, not the island or coffee), you’re not directly affected. There’s nothing you need to do to protect yourself from this threat beyond following the same best practices to protect your security and privacy online which, hopefully, you’re already following.
A vulnerability called “Log4j” is behind the current situation. A vulnerability is a flaw that cyber criminals can attack and maliciously exploit. Vulnerabilities are regularly found in software and fixed through security updates (sometimes referred to as “patches”). Most people are familiar with vulnerabilities and security updates from the security updates they regularly get from Apple and Microsoft.
In this case, the “Log4j” vulnerability affects servers rather than the systems and devices people own and directly use. That’s why it’s not something non-technical people need to worry about or take specific action on.
The vulnerability affects a Java-based logging package that’s widely used around the world and can enable attackers who attack and exploit it to take over servers. This could enable attackers to deface websites, implant malware, steal data, or anything else those attackers might choose to do.
If you do work with Apache or run a business and want more detailed technical information, this write-up by Cloudflare is a great resource.
Where Log4j can and maybe have affected you is if you need to update apps. For instance, we’ve already heard that the Java-edition of Minecraft has released an update in response to this issue. If you use the Java-edition of Minecraft, all you need to do is make sure you’re using the new, updated version.
Like we noted earlier, getting and applying updates is part of the regular process of keeping yourself safe online. It’s something that you should be doing regularly already. As long as you’re doing that, you’re already doing one of the most important things you can do to protect yourself against this latest threat, and many other threats out there.
Other important things that you can do (and hopefully are doing already) that can help protect you in situations like this are to run an up-to-date security package (like Avast One) and not click on links in emails or text messages.
The Log4j situation is very serious and security teams around the world are literally working around the clock to address it. But this situation is much like a building fire: The fire department is here and they’re fighting the fire. Unless you’re a firefighter yourself (in which case you’re likely not reading this now), you don’t need to do anything more than what you (hopefully) already do to protect your security and privacy online.