"It will take years to tackle this issue, while attackers will be looking... on every day [to exploit itfor vulnerabilities]," said David Kennedy the CEO of cybersecurity company TrustedSec. "This is a ticking time bomb for businesses."
Here are some tips you need to be aware of:
Log4j What is it, and why is it important?
According to cybersecurity experts, Log4j is among the most widely used online logging libraries. Log4j offers software developers the possibility of creating an inventory of activities that can be used to serve a variety of functions for troubleshooting, auditing , and data tracking. The library is free and open source and can be used in all areas of the internet.
"It's ubiquitous. Even if you do not use Log4j directly as an author, you could still be vulnerable to malware because one open source library that you use relies on Log4j," Chris Eng of cybersecurity firm Veracode told CNN Business. "This is the nature of software that is a turtle all the way down."
The software is used by companies like Apple, IBM and Oracle, Cisco, Google, Amazon and Cisco. Need realtor could be used in popular websites and apps and millions of devices around the world which access these services could be exposed to security vulnerabilities.
Are hackers exploiting it?
According to cybersecurity firm Cloudflare the attackers are believed to have had more time than one week to exploit the flaw in the software before it was made public. With so many hacking attempts happening every day, many are worried that the most severe attack is not yet over.
"Sophisticated threat agents will find a way to really weaponize vulnerability to gain maximum benefits," Mark Ostrowski (Check Point's chief engineer) stated on Tuesday.
Microsoft announced late on Tuesday that state-backed hackers, which includes those from China, Iran and North Korea tried to exploit the Log4j flaw.
What makes this security flaw so dangerous?
Experts are especially concerned about the vulnerability because hackers are able to gain access to a company's server, giving them entry into other networks. It's also very hard to identify the vulnerability or see whether a system has been compromised, according to Kennedy.
A second vulnerability was also discovered in Log4j's software late on Tuesday. Apache Software Foundation, a nonprofit that developed Log4j and other open source software, has released an update on security that organizations are able to use.
What are the companies doing to tackle the issue?
This week, Minecraft published a blog post announcing a vulnerability was discovered in a version of its game. It promptly released an update. Other companies have followed similar steps.
US warns that millions of devices are at risk of being affected by a new vulnerability in software
Customers have received advisories from IBM, Oracle, AWS, Cloudflare, and AWS. Some release security updates, while others describe their plans for possible patches.
"This is such a serious bug, but it's not something you can press the button to fix it like a typical major vulnerability. It's going take an enormous amount of time and effort," said Kennedy.
To be transparent and to cut down on confusion, CISA said it would set up a public website with updates on what software products were affected by the flaw and the ways hackers took advantage of the vulnerabilities.
What can you do for your security?
The burden is on companies to act. It is imperative that users upgrade their software, apps and devices as they are prompted by companies in the coming days or weeks.
What's next?
The US government has warned affected companies to be on alert for ransomware attacks and cyberattacks during the holidays.
There is a concern that an increasing number of malicious actors will make use of the vulnerability in innovative ways, and while large technology companies may have security teams in place to handle these potential threats However, many other organizations do not.
"What I am most concerned about are schools hospitals, schools, and areas where there is only one IT employee who does security but does not have the security budget or tools," Katie Nickels, Director Intelligence at cybersecurity company Red Canary. "Those are the organizations I am most concerned about - small organizations with low budgets for security."