Daily Archives: February 7, 2016

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

VideoLAN Releases VLC Version 2.2.2

Yesterday the popular open source media player VLC created by the VideoLAN non-profit organization was updated to version 2.2.2.

This update is available for Linux, Apple Mac OS X and Windows. It addresses several security issues mentioned here and here. Among them is the Logjam security issue. This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to benefit from the security fixes version 2.2.2 includes as well as the more than 100 general software bugs that were also addressed.

Thank you.

Malwarebytes Announces Upcoming Security Update / Bug Bounty Programme

Update: 20th March 2016:
A more recent blog post provides details of the now released security update.

Thank you.

Original Post
On Wednesday of last week the anti-malware organization Malwarebytes published a blog post to inform it’s customers that they are working to resolve several security vulnerabilities responsibly disclosed (defined) to them.

The well-known Google security researcher Tavis Ormandy disclosed these issues to them in November 2015. Malwarebytes is currently working to have an updated version of it’s anti-malware product version 2.2.1 available in the next 3 to 4 weeks.

If you are a Malwarebytes business or consumer customer/or make use of their free anti-malware software please monitor the Malwarebytes blog for announcements as well continuing to keep your Malwarebytes product up to date in order to be protected against these security issues. Users of the Premium version of Malwarebytes can enable self-protection in mitigate (protect against) these issues until the appropriate update is made available. Further details of how to enable this security feature are available here.

Malwarebytes also took the opportunity within the above mentioned blog post to announce their Bug Bounty program. This should ensure that such vulnerabilities are disclosed and resolved sooner in the future. Further details of their bug bounty program are available here.

I will update this post when version 2.2.1 of Malwarebytes is made available.

Thank you.

Oracle Releases Out of Band Java Security Update

Since Oracle’s previous security updates made available in the third week of January, they have released further updates for Java versions 6,7 and 8.

These updates address 1 security issue (more formally known as a CVE (defined). Further highlights of this update are provided here. Moreover, Qualys references the type of vulnerability this update addresses namely a binary planting vulnerability.

A set of suggested practices for using Java on your computer are provided here. Please install the recommended update for your version of Java as soon as possible to protect against this newly disclosed security issue.

Thank you.