Written by
Chris Duckett, APAC Editor
Chris Duckett
APAC Editor
Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.
Full Bio
on January 4, 2022
| Topic: Security
Image: perinjo/ GETTY
The United States Federal Trade Commission has issued a warning that it will chase companies that do not remedy the vulnerability in the Java logging package Log4j.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the agency said on Tuesday.
“Failure to identify and patch instances of this software may violate the FTC Act.”
The agency cited its $700 million settlement with Equifax in 2019 as an example of what could happen if customer data is exposed.
“The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies,” the FTC said.
“These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.
“This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security.”
Earlier on Tuesday, Microsoft said people might not be aware of how widespread the Log4Shell issue is in their environments, and warned that attempts to exploit it remained high to the end of 2021.
“At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” the software giant said.
“Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”
Cloudflare warned last month it had detected activity related to the remote code exploit as early as December 1, which meant the vulnerability was in the wild for at least nine days before it was publicly disclosed.
more Log4j
Log4j zero-day: How to protect yourself
Apache releases new 2.17.0 patch
Security firm discovers new attack vector
10 questions you need to be asking
Governments release Log4j advisory
So far, nearly half of corporate networks have been attacked
US: Hundreds of millions of devices at risk
Government – US
|
Security TV
|
Data Management
|
CXO
|
Data Centers