Late last week, cyber security firm LunaSec uncovered a critical vulnerability in the open source Log4j library that could give hackers the ability to run malicious code on remote servers. Countless apps and services were said to be vulnerable by the exploit, known as Log4Shell, including iCloud, Minecraft, and countless others.
According to the Electic Light Company, Apple has patched the iCloud hole. The site reports that researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on December 9 and December 10, the same vulnerability no longer worked on December 11. The exploit doesn't appear to have affected macOS.
The vulnerability was exploited in Minecaft before Microsoft patched it over the weekend. According to security researchers, a hacker merely had to do was paste a seemingly innocuous message into the chat box to compromise Minecraft's servers. Similar methods of exploitation can be used to hack into any app running the free software.
It's unclear how many apps are affected by the bug, but the use of log4j is extremely widespread. Crowdstrike's Adam Meyers said the vulnerability has been fully weaponised and tools were readily available to exploit it. The internet's on fire right now, he added shortly after the exploit was made public.
The Apache Software Foundation, which runs the project, rated it a 10 on its risk scale due to the ease of which it could be exploited and the widespread nature of the tool. The Log4j library is used by around the web for logging, a universal practice among web developers.
However, even if you use one of the affected apps, your Mac won't be at risk. When exploited, the bug affects the server running Log4j, not the client computers, although it could theoretically be used to plant a malicious app that then affects connected machines.
However, if you host your own server and run any sort of logging methods on your Mac, you should run the fix, as you might be at risk and not know it.