Apple patches Log4Shell iCloud vulnerability that set internet ‘on fire’

Massive exploit affects millions of apps.

(Macworld.com) on

Credit: IDG

Late last week, cyber security firm LunaSec uncovered a critical vulnerability in the open source Log4j library that could give hackers the ability to run malicious code on remote servers. Countless apps and services were said to be vulnerable by the exploit, known as Log4Shell, including iCloud, Minecraft, and countless others.

According to the Electic Light Company, Apple has patched the iCloud hole. The site reports that researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on December 9 and December 10, the same vulnerability no longer worked on December 11. The exploit doesn't appear to have affected macOS.

The vulnerability was exploited in Minecaft before Microsoft patched it over the weekend. According to security researchers, a hacker merely had to do was paste a seemingly innocuous message into the chat box to compromise Minecraft's servers. Similar methods of exploitation can be used to hack into any app running the free software.

It's unclear how many apps are affected by the bug, but the use of log4j is extremely widespread. Crowdstrike's Adam Meyers said the vulnerability has been fully weaponised and tools were readily available to exploit it. The internet's on fire right now, he added shortly after the exploit was made public.

The Apache Software Foundation, which runs the project, rated it a 10 on its risk scale due to the ease of which it could be exploited and the widespread nature of the tool. The Log4j library is used by around the web for logging, a universal practice among web developers. 

Apache has pushed out an update, but the ubiquitousness of the Javascript tool means many apps are still vulnerable. CEO of cyber security firm Tenable Amit Yoran called it the single biggest, most critical vulnerability of the last decade.

However, even if you use one of the affected apps, your Mac won't be at risk. When exploited, the bug affects the server running Log4j, not the client computers, although it could theoretically be used to plant a malicious app that then affects connected machines. 

However, if you host your own server and run any sort of logging methods on your Mac, you should run the fix, as you might be at risk and not know it.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Apple

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Michael Simon

Michael Simon

Macworld.com
Show Comments
Security Watch
Best NBN Plans
Best Mobile Plans

Brand Post

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Back to topHome

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?