Serious security flaw threatens Minecraft and possibly the entire internet — what to do
Flaw in small software component has giant consequences
If you're a Minecraft player using the Java Edition on a PC, Mac or Linux box, you'll want to update your game software to the latest version immediately.
There's a very serious security flaw that could let malicious hackers totally take over your computer. The issue could also affect many other online services, including possibly Steam and Apple iCloud, but we don't yet know exactly how severe the threat to those other platforms is. (Update: It's as bad as we feared.)
Ideally, you want your Minecraft Java Edition client software to be fully updated to version 1.18.1, released earlier today (Dec. 10). Often, just closing the game and then restarting the launcher will automatically update the game software to the latest version.
"If you play Minecraft: Java Edition, but aren't hosting your own server, you will need to take the following steps," said a blog post today on the Minecraft website. "Close all running instances of the game and the Minecraft Launcher. Start the Launcher again — the patched version will download automatically."
I'd advice you to not play versions of Minecraft earlier than 1.12 right now.December 10, 2021
Players running Minecraft mods based on earlier versions of the Java Edition will have to figure out their own way to version 1.18.1. Administrators of Minecraft servers need to follow specific instructions depending on which server-software version they're running, as detailed in the Minecraft blog post. Interestingly, versions below 1.7 don't seem to be affected by this flaw.
Nor does the flaw seem to affect Minecraft Bedrock Edition, aka just Minecraft. That edition is not based on Java and runs on Windows, mobile devices and game consoles. That version is up to 1.18.2.
Generally, if you downloaded your Minecraft software for Windows from the Minecraft website, or you're using a Mac or Linux box, you're running the Java Edition.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
If you got the Windows version of the game from the Microsoft online store, or you're playing Minecraft on iOS, Android or a gaming console, then you're running the Bedrock Edition and you're not in any danger.
"This exploit is quite severe on Minecraft Java Edition. Anyone can send a chat message which exploits everyone on the server and the server itself, because every chat message is logged," wrote commenter createonez on the Hacker News forum earlier today. "Some of the major servers like 2b2t and Mineplex have shut down, and larger servers that haven't shut down yet are pure chaos right now."
This problem goes far beyond Minecraft
This security flaw isn't in Minecraft itself, but in the Java environment that Minecraft Java Edition uses to be cross-compatible on Windows, Mac and Linux.
A widely used open-source logging utility called Log4j was found yesterday (Dec. 9) to have an extremely serious security flaw.
It could let an attacker gain remote control of any client machine logged into a server running a Java instance using a vulnerable version of Log4j. Many servers running the open-source Apache software also use Log4j.
Log4j has been patched and a new version made available today, but many servers have not updated their Java or Apache builds yet to incorporate it. Most of the problems will be on the server side, but it's possible some platforms may experience client-side issues; we really don't yet know yet.
Another commenter on the Hacker News forum said that Steam and Apple iCloud were also vulnerable, but we've not been able to verify that and it's not clear whether that was just on the server side or on the client side as well.
"I suspect we are going to see affected applications and devices continue to be identified for a long time," Rumble chief technology officer HD Moore, who also developed the Metasploit hacking platform, told Ars Technica's Dan Goodin .
"This is a big deal for environments tied to older Java runtimes: Web front ends for various network appliances, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for mod compatibility."
UPDATE: We're getting more reaction from information-security experts on Twitter, who say this could end up causing a "mini-internet meltdown."
"Although this emerged as a Minecraft issue (lol) there is going to be impacts across a wide range of enterprise software for some time," said Kevin Beaumont, a well-known security researcher in northern England.
Starting a new thread for log4j security vulnerability and fallout. Spoiler: although this emerged as a Minecraft issue (lol) there is going to be impacts across a wide range of enterprise software for some time. https://t.co/s9XQIgqNQ4December 10, 2021
"You can Google pretty much any big InfoSec vendor with log4j and find... things," he added, putting up screenshots of documentation of Log4j implementations in Symantec antivirus software, Blackberry server software, Microsoft Azure and what appeared to be a Barracuda firewall.
Rob Joyce, director of cybersecurity at the U.S. National Security Agency, tweeted that even the NSA's own free-to-use Ghidra software-analysis tool used Log4j. He called it a "significant threat for exploitation."
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.