Minecraft players using the Java version on PC, Mac, or Linux should update their game software to the latest version immediately
There is a very serious security flaw that could allow a malicious hacker to completely take over your computer This issue could also affect many other online services, such as Steam and Apple iCloud, but we don't yet know exactly how serious the threat to other platforms is (Update: It's exactly what we feared)
Ideally, you should have fully updated your Minecraft Java Edition client software to version 1181, which was released earlier today (December 10) In many cases, simply exiting the game and restarting the launcher will automatically update the game software to the latest version
"If you are playing Minecraft: Java Edition but are not hosting your own server, you will need to follow these steps
"Quit all running games and the Minecraft Launcher The patched version will automatically downloadPlayers running Minecraft Mods based on older versions of Java Edition will have to figure out how to migrate to version 1181 on their own as detailed in a post on the Minecraft blog, and must follow specific instructions depending on the version of the server software they are running Interestingly, versions below 17 seem to be unaffected by this flaw
The flaw also does not appear to affect Minecraft Bedrock Edition, aka Minecraft This edition is not Java-based and runs on Windows, mobile devices, and game consoles Its version is up to 1182
In general, if you downloaded the Minecraft software for Windows from the Minecraft website, or if you are using a Mac or Linux, you are running the Java edition
If you got the Windows version from Microsoft's online store, or if you are playing Minecraft on iOS, Android, or a gaming console, you are running the Bedrock Edition and are not at risk
"This exploit is quite serious in Minecraft Java Edition Since all chat messages are logged, anyone can send chat messages that exploit everyone on the server and the server itself Some of the major servers like 2b2t and Mineplex have shut down, and the larger servers that have not yet shut down are now in pure chaos" [This security flaw is not in Minecraft itself, but in the Java environment that Minecraft Java Edition uses to be cross-compatible on Windows, Mac, and Linux
Yesterday (December 9), a widely used open source logging utility called Log4j was found to have an extremely serious security flaw
It could allow an attacker to use a vulnerable version of Log4j to remotely control any client machine logged into a server running a Java instance Many servers running open source Apache software also use Log4j
Log4j has been patched and a new version is available today, but many servers have not yet updated their Java or Apache builds to incorporate it Most of the problems will be on the server side, but it is possible that some platforms will experience client-side issues; we really don't know yet
Another comment on the Hacker News forums said that Steam and Apple's iCloud are also vulnerable, but that has not been confirmed, and it is unclear whether the problem is just server-side or client-side as well
"I think we're going to see affected applications and devices continue to be identified for a long time," HD Moore, chief technology officer at Rumble, which is also the developer of the Metasploit hacking platform, told Ars Technica's Dan Goodin of Ars Technica
"This is a big problem for environments tied to old Java runtimes: web front-ends on various network appliances, old application environments using legacy APIs, Minecraft servers, etc
UPDATE: I'm getting responses from information security experts on Twitter that this could lead to a "mini-Internet meltdown"
"This emerged as a Minecraft problem [laughs], but it will affect a wide range of enterprise software for some time," said Kevin Beaumont, a well-known security researcher in northern England
He added, pasting screenshots of documentation of Log4j implementations in what appears to be Symantec's antivirus software, Blackberry's server software, Microsoft's Azure, and Barracuda's firewall
Rob Joyce, head of cybersecurity at the National Security Agency (NSA), tweeted that even the NSA's own free software analysis tool Ghidra uses Log4j He called this a "serious threat for abuse"
Comments