Category Archives: Wordpress and other CMS

WordPress 4.7.2 – security update

Most WordPress sites are configured to automatically update themselves when a new version becomes available. Still, anyone who manages any WordPress sites should make sure they are up to date with version 4.7.2, released yesterday.

WordPress 4.7.2 addresses three serious security vulnerabilities. You can find all the details in the release announcement.

Update 2017Feb02: Apparently WordPress 4.7.2 included a fix for a fourth security vulnerability, which wasn’t announced until February 2. The vulnerability is so severe that the WordPress developers didn’t want to risk anyone knowing about it until the majority of WordPress sites were updated.

Critical security update for Joomla

Joomla 3.6.4, released on October 25, addresses two critical security vulnerabilities that could allow an attacker to gain control of a Joomla-based web site.

Like WordPress, Joomla forms the basis of numerous web sites, because it’s easy to set up and manage. Its popularity and ease of use have of course also made Joomla a target for malicious hackers, who know that many Joomla sites are not kept up to date by their inexperienced owners.

If you manage a Joomla 3+ web site, please install this update as soon as possible. It’s very likely that attackers are already searching the web for vulnerable sites. Unless of course you want your site to be part of a botnet (which may sound cool, but really isn’t).

WordPress 4.6.1: security release

Two serious security vulnerabilities in WordPress 4.6 are fixed in the latest version, 4.6.1. Several other minor issues are also addressed. See the release notes for additional details.

WordPress sites that are configured to install minor updates automatically should be auto-upgraded to version 4.6.1 in the next few days, but anyone who manages a WordPress site should immediately verify this, and install the update manually if it’s not already running 4.6.1.

Joomla 3.6.1 update problems

The latest version of Joomla is causing problems for web servers running older versions of PHP. Affected Joomla sites are still accessible, but users and administrators are unable to log in.

An announcement on the Joomla web site, and another in the Joomla documentation, provide details and workarounds for problems caused by the update, but web servers running PHP 5.3 won’t find them particularly helpful. If you administer a web server running PHP 5.3, the solution is to either wait for Joomla 3.6.2, or make some changes to a single Joomla file, as outlined in this fix on Github.

In case you’re wondering why any diligent web server administrator would still be running a version of PHP that is known to be insecure, what’s actually going on in most cases is that the admin is running a custom build of PHP that has had all relevant security fixes applied. For example, these custom builds of PHP are provided for Ubuntu LTS (Long Term Support) releases to allow for maximum security and stability.

Update 2016Aug05: That was fast. Joomla 3.6.2 is now available, and it fixes the PHP 5.3 compatibility issue.

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Hacked WordPress sites spreading ransomware

WordPress continues to be a favourite target for people engaged in malicious activity on the web. A WordPress site that isn’t kept up to date with security patches is almost guaranteed to be compromised in some way.

There’s been a recent surge in the number of hacked WordPress sites, many of of which are infecting visitors with ransomware. If you haven’t bothered to install security updates on your computer, simply visiting a compromised site can infect it. And ransomware is not something you want to mess with.

Please, make life more difficult for the people spreading malware and compromising web sites: keep your WordPress sites, operating system, and software patched.