Last week, Minecraft was hit by perhaps the worst exploit ever seen, which is saying something for a game that's over a decade old.
This exploit, if performed correctly, allowed malicious players to take control of another player's PC while playing on a Minecraft server. This was, of course, extremely concerning for Minecraft players all over the world.
Although now patched by Mojang, it's interesting to look at exactly just how this situation unfolded. This article will also explain how players and server owners can be 100% sure they are no longer vulnerable to this attack.
What was the Minecraft Log4j exploit?
This exploit was known as a "zero-day" exploit, meaning that its existence was completely unknown to the developers. It allowed bad actors to take control of other players' computers and even hold Minecraft servers hostage.
Exactly how the exploit works is relatively complex, but was first reported by Alibaba security researchers on November 24, 2021. Once executed, the exploit allows hackers to execute remote code on a Minecraft system due to the specific logging library Minecraft uses, called Log4j.
It's not just Minecraft that was affected by this exploit. So far, it's been confirmed that other services such as Steam, iCloud, Amazon, and Twitter were also among those affected.
How to fix the Minecraft Log4j exploit
Luckily, not much needs to be done to overcome this issue, seeing as it has now been patched by Mojang themselves. Minecraft players should always ensure that they are using the official version of the game, not those published by third-party sources.
It's a different story for Minecraft server owners, however. Owners of Minecraft servers will need to actively patch this manually, so that their server is no longer vulnerable.
This can be done relatively simply via downloading and installing the updated Log4j config patch, which was released by Mojang a few days ago. The patch can be found here and should be installed in the directory with the Minecraft server.