Millions of websites big and small are racing to patch a huge software loophole that security experts are describing as "the single biggest, most critical vulnerability of the last decade."

The flaw, called Log4Shell, affects a commonly used tool that handles the critical process of logging for apps and web services.

Virtually every program will keep a list – or log – of activities performed, and the open source Apache Log4j handles logging for millions of businesses and organizations around the world. That and the ease with which its vulnerability can be exploited gives the problem an unusually big scale.

Log4Shell leaves the door open for servers and network to be breached remotely, with very little effort on the part of the attacker. The Associated Press reported that it was first discovered in Minecraft, the massively popular online game, where it took as little as a message posted in the chat to trigger the flaw in users' systems.

A patch closing that door has already been released, but given the sheer breadth of apps and services that use Log4j, fixing the issue isn't very straight-forward. The AP pointed out that the biggest cloud providers out there, such as Amazon, have quickly addressed the crisis, but other programs will have to be updated individually by users.

Amit Yoran, the CEO of the cybersecurity firm Tenable, told the news agency that everyone was better off assuming they had been compromised and acting accordingly.