How to Buy Precious Patching Time as Log4j Exploits Fly

Podcast: Cybereason shares details about its vaccine: a fast shot in the arm released within hours of the Apache Log4j zero-day horror show being disclosed.

Sure, Apache got a patch out fast when the Log4j logging library vulnerability – aka Javageddon or “up there with Shellshock” – exploded last week.

But emergency patches take days (best-case scenario) or weeks to install: plenty of time for attackers to do their worst.

Which they lickety-split did, and which they continue to do: Within hours of public disclosure of the flaw in the ubiquitous Java logging library, attackers were scanning for vulnerable servers and unleashing attacks to drop coin-miners, Cobalt Strike malware, the new Khonsari ransomware, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, Mirai and other botnets, and backdoors. The list keeps growing.

Time was, and is, of the essence. Fortunately, multiple security pros, including Marcus Hutchins and Cybereason researchers, saw a simple way to kneecap the dizzying array of exploits and whipped up a vaccine. On Friday, Cybereason released the open-source Logout4Shell: A quick shot in the arm that disables the problematic Java Naming and Directory Interface, or JNDI, at the heart

Read More: https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/