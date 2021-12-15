Organisations should take swift action to patch a "critical vulnerability" in a widely used software that could allow hackers to take full control of computer systems, the Cyber Security Agency of Singapore (CSA) said yesterday.

The bug has been scored the maximum of 10 in terms of severity of computer system vulnerabilities.

Immediate action needs to be taken because "we only have a short window" to put in place measures to limit any abuse of the flaw, CSA warned.

The flaw, which affects a wide range of applications, from social media and gaming to online shopping and banking, is likely to affect hundreds of millions of devices, the United States' national cyber-security agency said on Monday, adding that it could be one of the worst in years.

The affected Apache Log4j is a free software that is popularly used to keep track of activities in software applications, such as system errors and messages from users.

Cyber-security experts warned that the flaw can be easily exploited by adding a line of code.

This could allow cybercrooks to steal and delete data, hijack a firm's e-mail system to send phishing messages, make fraudulent bank transfers and more.

The services and sites known to be vulnerable at some point include Apple's iCloud online back-up service, Valve's Steam online game store and Microsoft's Minecraft online game. Among others reportedly at risk are Amazon, Baidu, Google, Tencent and Twitter.

While CSA has not received any report of breaches related to the vulnerability for now, it is closely monitoring the situation and working with critical information infrastructure businesses to put in place measures to address the bug.

The Monetary Authority of Singapore separately said that financial institutions using the affected software "are expected to take appropriate and prompt actions to address the vulnerability".

Organisations here affected by the vulnerability are urged to report to the Singapore Computer Emergency Response Team if there is evidence their systems have been compromised.

CSA's urgent call to action follows an initial alert it sent out last Friday. On Monday, US Cybersecurity and Infrastructure Security Agency director Jen Easterly said the flaw "is one of the most serious I've seen in my entire career, if not the most serious", reported cyber-security news site CyberScoop.

Last Saturday, Germany's cyber-security watchdog BSI issued the highest red alert warning on the bug, saying it posed an "extremely critical threat" to Web servers.

Apple and several companies have reportedly taken steps to patch the security hole, or alert customers on steps they can take.

Some businesses in Singapore also said they are on high alert.

Cyber criminals appear to be rushing to find potential victims they can attack using the flaw.

"Right now, the Internet is on fire," said Mr Kevin Reed, chief information security officer of cyber-security firm Acronis, and "there are thousands of exploitation attacks every second".

Globally and in Singapore, his firm detected single-digit exploitation attempts on Friday. But this surged 300 times at the weekend.

"Because (Log4j) is everywhere and easy to exploit, we will see a lot of exploitation in the coming days... maybe months," said Mr Reed.