What av are u using

@@meganjordaan6690 eset

@Cherish God He said eset

@Cherish God I use the Smart Security Premium because i realy like the password Manager

@@lars3285 I love Eset and I think that they have improve a lot with Eset Liveguard technology. I woukd really like to see Leo testing it with some advanced configuration because Eset by default is not as good but I'd you configure it correctly it's really effective.

fun fact: the company whcih exploited that is from china according to another video, they're probably doing that just for competitive reasons which sucks

There isn't enough punishment for retarded programming.

r word

@@mintsushi9598 I don't give a fuck.

Yupp, in canada 🇨🇦 there having a field day

Oh no, my college is also in Java!

Just don't panic, you are most likely subject to general updates just like me and any desktop user.

Pray.

It's a vulnerability with the log4j library of logging features. Unfortunately it's not really something that can be covered via antivirus as far as I'm aware, the remote execution of ransomware or malware COULD be prevented with an AV however the actual exploit isn't something that can be blocked by it, just due to the way it works. Any unpatched java application that is running logging via the log4j family and is unpatched to disable RCE is vulnerable.

@@ashinylilligant9723 thank you

@@ashinylilligant9723 damn.

@@ashinylilligant9723 how do you protect a linux system then?? I dont really hear of people using antiviruses in that system so what do you do in that case?

Yup, I hate this "release now, fix later" bullshit

@🌟:awesome: Run Linux in a VM

4:49 Devs that use the library and programs that factually deploy and/or employ them are the main bubble to my sense.

Log4j has already stated the vulnerable versions and are actively working to resolve it. Most developers, professional at least, should have at least mitigated the issues.

It for sure can affect Minecraft. Being on multiplayer servers is pretty dangerous right now if they aren’t properly patched, though it may be fixed now. I haven’t followed up on it lately

The vulnerability only affects devices running the Java log4j library, which are usually servers. If you are a home user visiting a website compromised by the log4j vulnerability it’s unlikely you will be targeted by it. There is of course a risk of threat actors using drive-by downloads on servers they compromised to deliver malware to your home device, or installing magecart or other card scrapers to steal your banking/credit card details should you input them on a compromised site.

Steam was also affected

Uefi is not safe, like 100%. There are rootkits that embed to it. Take moonbounce for one.

Wasn't that just about Java's JNDI and its unchecked class loading under certain conditions in general? This is JNDI + Log4j and as far as Log4j is concerned, this is a zero day.

It allows attackers to run any kind of code they please. So yes. Deploying a keylogger to record the passwords you type in the banking website wouldn't be difficult. I can only give you the same advice you've probably heard a million times: Make sure you have 2-factor-authentication enabled. Every bank should support it by now and it is designed to prevent exactly this kind of attack.

Windows doesnt really work like that its fundamentally broken (: on linux servers yes this will sorta sandbox it to user privs

I think talk about the vulnerability has engaged in a bit of sensationalism. For sure, technical organizations that have done essentially everything wrong are going to have a bad time. For orgs that operate with sane security practices (e.g. principles of least privilege and defense in depth) this is inconvenient and is going to cause your cyber security team to lose sleep monitoring for a while but the world isn't ending. The exploit depends on a bit of a chain of many people getting things very wrong culminating in app servers having unrestricted access to the internet for no reason.

Well, at least on Windows, there are plenty of UAC bypass methods.

Most of the valuable files attacked by ransomware (documents, photos, etc.) are generally writable with standard user privileges. There is bigger scope for attack with higher privileges (other user accounts, etc.) but it can still be extremely damaging regardless.

Yep, even "unhackable" linux and mac os, Minecraft Java Edition and even android...

It may affect with no doubt, but I guess I haven't seen any mobile company claiming to be a huge target or menace around. So, make sure you always are in a patched device, that's and will probably always be the best and shortest protection.

@@citizenkimi we're fuked

no, aes256 is rock solid encryption, and considered quantum safe. No matter how sophisticated AI gets it will never, never be able to break aes256

AIs can't crack a encryption algorithm no matter how advance they get, primary goal of AIs is Data processing and correlation. For the most part it's trying to achieve something near human intelligence/awareness. Cracking an Encryption algorithm requires wither exponential processing power or an another algorithm that reduces the time or data complexity of the said algorithm. AES-256 is considered pretty secure as even the best attacks against it(if you don't include attacks against bad implementations) only reduce its complexity by very small values.

Log4j is not maintained by Oracle, it's a 3rd party repo. No liability to vendor.

@user i do. 1x 2TB plus 2 x 1TB SEAGATE. Anything else ?

@user and I have 4 laptops with the same data on each. Each with 1TB HDD from PB Tech in Auckland

It's a vulnerability in a Java library, it affects every platform with Java and a JVM running on it, which is basically every platform in existence.

@@PaperBagMan884 sad. We need an alternative to java

It already did.

well macos is linux

Android is based on Linux too

@@bestGaming132 chrome os too

Java is cross-platform and runs on pretty much everything, so if a Java application that uses the vulnerable library is deployed on a Mac I see no reason it would be any safer. Their old slogan "Write once, run anywhere" applies to this exploit as well, unfortunately!

@@AviatingRandom No. MacOS is Unix

nope since they both use java and log4shell is a java library

still affects you cuz log4shell is a java library and chromeos uses java

I like jelly

I like cheese

i like pudding

I like

Creamy or crunchy

probably?

No, but it risks being as harmful.

@@malwaretestingfan yep

Cool

Ok

Affected

affected cuz mac uses java and log4shell is a java library

@@amogustroll69 I don’t have java based software :)

@@Turann99 even if you dont have java software, macOS does use java for some of its core components under-the-hood

Depends more on the device than on the OS. Linux is actually very secure, but since IoT devices are rarely updated and Android relies (or better, used to) rely more on the user security-wise (and not counting the cases where malware is shipped together with the firmware, see Triada), Linux may be easily attacked.

Default user account in Windows is admin, which means that by default malware developers shouldn't bother with privilege escalation since as soon as they enter the device they will already have admin rights anyway. Not all Linux distros has the same security settings/levels, some has kernel modules that are responsible for protecting the OS. others like Fedora Silverblue and Endless OS are immutable and are based on OSTree technology, core files are protected with read-only images and the root filesystem is also immutable. Windows doesn't have that, and it's easy for things like StarForce's DRM to break your OS by being able to manipulate system files, mainly because you has to give admin rights to anything you install.

@@Sumire973 The default user account in Windows is not the Administrator, but the UAC that Windows provides is extremely weak.

@@Sumire973 A few things wrong with this, while you're true that the default account is Admin in windows(and while any sane person uses a separate user account), but that doesn't allow for automated admin rights. The UAC is well implemented and uses Winlogon Desktop which is a SYSTEM Privileged account for the UAC Prompts. And yea, certain Linux distros provide immutable fs but let's not forget that it's not the standard/de-facto practice even in Linux. Also, most of the core windows system files are read-only aswell, even with Admin privileges you need to take ownership in order to modify those. Also, the problem with games and other software requiring Admin privileges is purely for a different reason. It has nothing to do with the security of UAC implementation in Windows. And FOSS alternatives exist in windows too. Moreover, most of the Privilege Escalation exploiting in Windows are done by either exploiting a UAF(Use After Free) vulnerability, Memory injection in unprotected escalated processes, or simple DLL Hijacking. The thing is that your statement would've been true like 3-4 years ago, given that windows itself had a plethora of exploitable system processes, but most of them(if not all) have been fixed, so now in order to pull off a guaranteed Privilege Escalation you need to either somehow trick the user into thinking that they're Escalating a trustworthy process(for example some malwares use the good old notepad.exe for the UAC bypass) or exploit some other third party escalated process.

@@malwaretestingfanWrong, UAC is not weak, in fact its pretty much one of the best security implementations in Windows. It uses Winlogon Desktop to display a sandboxed prompt and there exists no direct bypass or vulnerability in the implementation itself. The problem is other processes/programs which run with Admin Privileges and are vulnerable to UAF, Memory injection or DLL injection.