So we have a critical vulnerability in a software library that allows hackers to get access to your machine. It’s a library that huge quantities of other software make use of, so they all become vulnerable too. A mess doesn’t cover it and there is now a race between suppliers creating fixes and the attackers trying to hack into machines before they are fixed.
In trying to explain this it’s important to understand that modern software is like Lego - swathes of it are built from pre-built elements which may in turn contain pre-built elements. The software interacts with other software on your phone, PC, tablet and onto the servers that provide games like Minecraft, news websites, move information around the internet, run databases. It really is turtles all the way down. I’m using the library in my own code projects. :-
While news outlets tended to headline with Minecraft (a well known program that was exploited) Log4J is such a widely used component the consequences are pretty much everywhere and it’s going to take a lot of work to identify exactly what may have been affected. The good news is it seems to be on older systems and that same Lego construction means there can be other components that prevent a compromise.
Some observations can be made; mostly the speed at which exploits surfaced. Details of the flaw show it’s due to a common programming mistake - you have to assume all inputs from outside the code are potentially hostile. This wasn’t done and hence the vulnerability. It’s easy to blame the developers or those reviewing the code failing to spot the mistake. But developers have an ever expanding list of technologies and ‘possibles’ to deal with; relying on people spotting things isn’t an answer. And that’s assuming the bosses give time to such work. Which they don’t.
There isn’t an easy way out of this. It’s no use developing automated tools to spot the programming mistakes (they exist) if their usage is complex, time consuming and they are not applied on all the involved Lego bricks of software. It’s no good having the latest versions of software secure if older insecure software if left around. I’d suggest an answer involves governments and big software companies creating a focused organisation that does that testing and authorises an approved collection of software components, something very easy in the open source world. With enough effort that foundation could be vast and offer extensive choice. Imagine everything on github being in that collection ~ “gitsafe” (TM)? Developers are free to build what they like, but only using that foundation. Those who wish to add their component into the collection must jump the tested/secure/documented hoop ideally without being incompatible with other parts of “gitsafe”. And finally companies need to be held painfully accountable at the board level for data breaches - and if you have been using wild-west code outside “gitsafe” or failing to update to the latest releases the regulators hammer should fall. Heavily.
I can dream.
* and I’ll be recompiling with any updated version of the library just in case….
