Category Archives: WordPress and other CMS

Critical security update for Joomla

Joomla 3.6.4, released on October 25, addresses two critical security vulnerabilities that could allow an attacker to gain control of a Joomla-based web site.

Like WordPress, Joomla forms the basis of numerous web sites, because it’s easy to set up and manage. Its popularity and ease of use have of course also made Joomla a target for malicious hackers, who know that many Joomla sites are not kept up to date by their inexperienced owners.

If you manage a Joomla 3+ web site, please install this update as soon as possible. It’s very likely that attackers are already searching the web for vulnerable sites. Unless of course you want your site to be part of a botnet (which may sound cool, but really isn’t).

WordPress 4.6.1: security release

Two serious security vulnerabilities in WordPress 4.6 are fixed in the latest version, 4.6.1. Several other minor issues are also addressed. See the release notes for additional details.

WordPress sites that are configured to install minor updates automatically should be auto-upgraded to version 4.6.1 in the next few days, but anyone who manages a WordPress site should immediately verify this, and install the update manually if it’s not already running 4.6.1.

Joomla 3.6.1 update problems

The latest version of Joomla is causing problems for web servers running older versions of PHP. Affected Joomla sites are still accessible, but users and administrators are unable to log in.

An announcement on the Joomla web site, and another in the Joomla documentation, provide details and workarounds for problems caused by the update, but web servers running PHP 5.3 won’t find them particularly helpful. If you administer a web server running PHP 5.3, the solution is to either wait for Joomla 3.6.2, or make some changes to a single Joomla file, as outlined in this fix on Github.

In case you’re wondering why any diligent web server administrator would still be running a version of PHP that is known to be insecure, what’s actually going on in most cases is that the admin is running a custom build of PHP that has had all relevant security fixes applied. For example, these custom builds of PHP are provided for Ubuntu LTS (Long Term Support) releases to allow for maximum security and stability.

Update 2016Aug05: That was fast. Joomla 3.6.2 is now available, and it fixes the PHP 5.3 compatibility issue.

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Hacked WordPress sites spreading ransomware

WordPress continues to be a favourite target for people engaged in malicious activity on the web. A WordPress site that isn’t kept up to date with security patches is almost guaranteed to be compromised in some way.

There’s been a recent surge in the number of hacked WordPress sites, many of of which are infecting visitors with ransomware. If you haven’t bothered to install security updates on your computer, simply visiting a compromised site can infect it. And ransomware is not something you want to mess with.

Please, make life more difficult for the people spreading malware and compromising web sites: keep your WordPress sites, operating system, and software patched.

Critical security update for WordPress

Two serious security vulnerabilities are addressed in the latest version of WordPress: 4.4.2. Anyone who runs a WordPress site is strongly encouraged to update their site as soon as possible. Sites that are configured for automatic updates should get the new version automatically, but there are sometimes delays in automatic updates, so you should make sure.

The new version fixes seventeen bugs in total. The release notes have all the technical details.

WordPress 4.4.1 security release

A critical cross-site scripting (XSS) vulnerability in WordPress 4.4 and earlier versions has been addressed in a new WordPress version: 4.4.1.

Since this is a security release, anyone who administers a WordPress site is strongly encouraged to install the update as soon as possible. If your WordPress site is configured for auto-updates, it may have been updated already, but you should check it to be sure.

WordPress 4.4.1 also fixes a few minor non-security bugs. In all, 52 bugs were addressed in the new version. The release notes provide additional details.

You can also see what’s changed in 4.4.1 on the WordPress bug tracking site. Happily, the page on the other end of that link shows only what’s changed in WordPress 4.4.1, which is a lot more useful than Mozilla’s approach for Firefox, which is to list all changes since the last major version. The WordPress change list is also a lot easier to navigate (and understand) than the equivalent list for Google Chrome.