A major security flaw has been discovered in a piece of software called Log4j, which is employed by scores of web servers. The bug leaves them liable to attack, and teams around the world are scrambling to patch affected systems before hackers can exploit them. Log4j could be the software you utilize that may keep records of errors and other important events, called logs. Attackers can trick Log4j into running malicious code by forcing it to store a log entry that has a selected string of text. The way hackers do this varies from program to program usually. The code that creates up open source software may be viewed, run, and even – with checks and balances – edited by anyone. This transparency can make the software more robust and secure because many pairs of eyes are engaged in it. But no software will be guaranteed safe.

The issue that permits the Log4Shell attack has been within the code but was only recognized late last month by a security researcher at Chinese computing firm Alibaba Cloud. He reported the matter immediately to the Apache Software Foundation, the American non-profit organization that oversees many open source projects including Log4j, to allow it time to repair the problem before it was publicly revealed. While patches to mend problems like this could emerge very quickly, especially once they are responsibly revealed to the event team, it takes time for everybody to use them. Computers and web services are so complex now, then layered with dozens of stacked levels of abstraction, code running on code, on code, that it could take months for these services to update.