Sure, you probably expected the usual Microsoft updates, but who saw the Log4j vulnerability coming?
The recently discovered Log4j flaw is like the gift that keeps on giving. Except instead of a gift, it’s a headache. And, instead of giving, it’s lingering.
Already, three patches have been issued. Yes, three. And, it’s still not necessarily over.
This widespread flaw lurks inside many common web applications, highlighting the importance of monitoring for zero-day attacks.
That’s because when vulnerabilities like these are announced, cybercriminals immediately start trying to exploit them.
In fact, in the days following the disclosure, the Log4j exploit saw 40% of corporate networks attacked.
So what, exactly, is going on?
Log4j Overview
Nearly all Java applications use the Log4j logging tool.
And, a surprising number of software companies embed Java tools into their web applications.
That makes the Log4j flaw incredibly widespread. In fact, by one estimate, 88% of customers had Log4j in their environment, making it likely you do as well.
With this vulnerability, servers, virtual machines, IP cameras, and a host of operational technology (OT) devices using Java code instantly became targets.
Data theft, cryptomining, ransomware, web shells, and botnet attacks are all very real possibilities.
To correct the error, Apache rushed out a corrective patch. Unfortunately, the patch contained flaws.
This left Apache scrambling to follow up with both a revised version and vulnerability identifier. Again, there were problems.
So, for a third time, a correction was issued. Hopefully, it’s the last one necessary.
Although this helps you with your systems, if your software vendors remain exposed, you could still be at risk.
For example, one of the world’s leading producers of business software, SAP, issued 20 patches last week, but noted 12 additional applications still need workarounds.
Patching SAP and other software often falls outside of normal patching routines. Since it also requires specialized effort from your IT teams and outsource partners, you’ll want to double-check to ensure these processes are underway.
Microsoft Updates
Microsoft suffered some of the first Log4j attacks when independently hosted Minecraft servers came under attack.
They quickly issued patches fixing 67 flaws, addressing the Log4j vulnerability along with many others.
Some of these patches address actively targeted zero-days, such as the Windows AppX Installer, exploited by the Emotet botnet. The also addressed the Windows Mobile Device Management elevation of privilege vulnerabilities.
Given the active abuse and high severity rating of these weaknesses, Microsoft urges you to immediately install patches if your system doesn’t automatically update.
Other Key Updates: Chrome, Adobe, Cisco
Logj4 might be the most widespread issue right now, but it’s not the only one.
Google Chrome recently released security fixes for one critical and three high-severity vulnerabilities that should automatically update once you restart your browser.
It should be a pretty simple fix, right? After all, closing and opening an internet browser is about as simple as things get.
However, it’s not unusual for people to leave their computers on for days or weeks at a time, with an internet tab opened the entire time. As a result, you’ll want make sure your team knows to perform a simple computer restart.
Further, Adobe issued patches for more than 60 security flaws in their various design and media software, including Premiere Pro, Media Encoder, and Photoshop.
This software tends to be used in marketing departments, so you’ll want to check in with them about their update status.
Finally, Cisco released updates to address Log4j vulnerabilities in many different products.
As with the SAP and Adobe patches above, these updates likely fall outside of your typical patching processes, so make sure your teams have a plan to implement the updates – or take steps to mitigate them.
Choose Continuous Protection
When emergency patches for critical exploits arrive within days of expected Microsoft, Adobe, Apple, and other patches, it’s a struggle for IT teams to keep up with procedures.
Attackers know they have a limited window to strike, and during the update chaos, it’s easy to miss signs of attack.
Choosing between updates or security awareness exposes you to attack. With today’s high volume of malicious attackers, you can’t let your team’s limitations compromise your security.
For overworked teams faced with this decision, outsourcing provides the path to both security and updates.
Outsourcing also helps provide focus – after all, applying patches or implementing IT workarounds don’t contribute to your business objectives or provide a competitive advantage.
For a free consultation on how outsourcing can help your team, contact Ideal Integrations at 412-349-6680 or fill out the form below.
Our experts listen to your concerns, answer your questions, and walk you through options for all of your IT needs.