Apple patched iCloud against massive Log4Shell vulnerability
Researchers reportedly weren’t able to demonstrate the iCloud vulnerability after December 11th
Late last week, details emerged about a wide-reaching security vulnerability that affected tons of online services and apps, including Apple’s iCloud service. However, the iPhone-maker has reportedly already patched the flaw.
As a refresher, the vulnerability, dubbed ‘Log4Shell,’ impacts an open-source logging library called ‘log4j’ that’s widely used in online services to log events, errors, activities and more. The Log4Shell flaw effectively allowed an attacker to gain access to and execute remote code on servers running log4j simply by getting the logging system to log a specific string of characters.
Due to the wide use of log4j, several major online services are (or were) vulnerable to Log4Shell. Minecraft was among the first platforms impacted by Log4Shell, which saw attackers post chat messages with the specific string to attack servers. A Minecraft patch released Friday fixed the vulnerability.
Other services impacted by Log4Shell included Steam, Twitter, Amazon, Tesla and more. Apple’s iCloud was on the list, but Apple reportedly patched the service on December 11th.
According to The Eclectic Light Company, a blog about Macs and paintings (via Macworld and 9to5Mac), researchers were able to demonstrate the Log4Shell vulnerability when connecting to iCloud through the web on December 9th and 10th. However, the process no longer worked on December 11th.
Ultimately, it appears Apple patched the security flaw in iCloud rather quickly. That’s good news for any iCloud users out there and should be par for the course with large tech companies. There’s also a log4j patch available that helps mitigate the security vulnerability, which should help with patching vulnerable services.
Unfortunately, thanks to the wide-ranging impact of Log4Shell, it will likely take time for all vulnerable services to issue patches.
Source: The Eclectic Light Company Via: Macworld, 9to5Mac