Another serious WordPress plugin vulnerability

As many as 100,000 web sites built with WordPress have been compromised through a vulnerability in a plugin named ‘RevSlider’ (aka ‘Revolution Slider’, aka ‘Slider Revolution’). Attackers used the vulnerability to add malicious code to the compromised sites, which resulted in those sites serving up the malicious code to site visitors.

Unfortunately, the RevSlider plugin is not free, and as such it typically can’t be updated using the standard WordPress update mechanism. Worse still, the plugin is often included in commercial themes, in which case the theme developer must obtain the updated plugin, create a new package for the theme that includes the new plugin, then make that package available to their customers. Because of these hurdles, many affected sites have not yet been updated.

If you manage a WordPress site that uses RevSlider, you should determine whether it was purchased directly or as part of a commercial theme, then obtain an appropriate update and install it as soon as possible.

Sony should fire their senior management

Clarification: this attack affected Sony Pictures Entertainment, which is a subsidiary of Sony. As far as we know, the attack did not affect any other parts of Sony.

By now you’ve almost certainly heard about the massive, comprehensive breach of all Sony’s computer systems.

It’s now clear that the attackers gained access months (if not years) ago, and took their time expanding their reach until they had access to almost every system and server controlled by Sony. The attackers then downloaded massive amounts of data from Sony systems, including unreleased films, personal data about employees, internal (and in some cases extremely embarrassing) internal emails, and so on. The final step for the attackers was to wipe hard drives. That’s the point at which Sony finally learned that their systems had been hacked, tipped off by someone who doesn’t even work for Sony.

At this point it’s difficult to estimate the damage, but Sony will be feeling the effects for years to come.

Incredibly, this isn’t the first time Sony has been hacked. In fact, they’ve been hacked as many as 56 times in the last decade or so. Each time this happened, Sony had an opportunity – and a serious responsibility – to improve their security. Instead, as is clearly evident from the details of this most recent attack, Sony has done little or nothing to beef up its security.

Still, one can almost feel some sympathy toward Sony. That is, until you look at what Sony is doing about the latest attack. In a move that only the most clueless corporate lawyer would recommend, Sony is now threatening anyone who reports on this attack, including noted security writer Brian Krebs.

Worse still, there are reports that Sony is performing DDoS attacks against sites that host information take from Sony systems. If true, this is a mind-bogglingly short-sighted move.

Dear Mr. Sony: you should now fire all your senior management. I’m not kidding. These people have – and will continue to – hurt you more than they can possibly help. Time to cut your losses.

Update 2014Dec20: Ars Technica has more.

Update 2014Dec23: Bruce Schneier’s post about this is recommended reading. He looks at some of the ridiculous reactions to this attack and presents a sensible overview of what we really know.

Another bad patch from Microsoft

One of the updates from last week’s Patch Tuesday apparently caused problems for numerous Windows 7 and Windows Server 2008 users.

The update, KB3004394, was issued to increase the frequency of root certificate updates from weekly to daily, thereby improving overall system security.

Unfortunately, once the update was installed on affected computers, some software and driver installation programs no longer worked as expected.

Microsoft initially recommended uninstalling the problematic update, but has now released another update (KB3024777) that fixes the problem.

Ars Technica has additional details.

The problem with Tor

Tor is a collection of software that allows its users to access Internet-based resources anonymously. There are a lot of legitimate reasons why a person might want to remain anonymous on the ‘net. Unfortunately, Tor (as well as other proxy and anonymizing services) also allows unscrupulous persons to hide their illegal activities. A recent study shows that a large proportion of attacks against banking sites arrived via Tor.

As a result, major web sites are increasingly blocking access from Tor nodes, in the hope that this will reduce the overall amount of access by those seeking to do damage or obtain private information. The problem is that Tor users with no evil intent are then also prevented from using such sites.

The Tor developers are aware of this problem, and are working to keep Tor relevant by working with site owners to find ways to prevent improper access without blocking Tor completely.

So far there doesn’t appear to be a good, long-term solution to this problem. However, it may be useful to recognize that Tor is just a tool, and like all other tools, it can be used for good, evil, or anything in between. A better approach to security than wholesale blocking is to improve security on the host.

Patch Tuesday for December 2014

It’s patch time again.

As expected, Adobe released updates for Reader/Acrobat, but they also issued updates for Flash. The new version of Reader/Acrobat is 11.0.10, and it addresses at least twenty vulnerabilities.

The latest version of Flash is 16.0.0.235 (on most platforms), and it fixes six vulnerabilities in previous versions. As usual, Google Chrome will update its own internal Flash, and Microsoft will offer Flash updates for Internet Explorer on Windows 8.x via Microsoft Update. Note that Adobe also released Flash 15.0.0.246, which apparently fixes the same issues in earlier versions of Flash 15.

Meanwhile, Microsoft today released seven bulletins and associated patches. The patches address vulnerabilities in Windows, Internet Explorer, and Office. There’s a useful summary on the MSRC blog.

Brian Krebs has additional details.

Holiday season warning: beware phony ‘order confirmation’ emails

Brian Krebs recently posted an excellent article about a specific kind of malicious email currently showing up in inboxes everywhere, just in time for the holiday shopping season.

Most web stores send email order confirmations when you buy something, and that’s a good thing. Unfortunately, these emails can be faked easily enough, and the unwary recipient may not notice that the sender’s address doesn’t look quite right, or that the language in the message is somewhat unprofessional. Clicking a link in one of these emails is an extremely bad idea, since it’s likely to lead to browser hijacking, malware, or both.

Firefox 34/34.0.5 stealth release

Firefox 34.0 was released on December 1. The new version includes some security fixes, improves the search bar, and makes switching between profiles a bit easier.

As usual, there was no announcement for this version, despite Mozilla staffers telling me that major releases always get proper announcements on the Mozilla blog.

Further confusing things is a release notes page for version 34.0.5, linked from the main release notes page, that looks almost identical to the page for 34.0. Worse still, Firefox itself won’t update to 34.0.5, and the Firefox download page assures me that I’m running the latest version (that version being 34.0).

Is it just me, or is Mozilla getting worse at this stuff?

Update 2014Dec05: Apparently version 34.0.5 is somehow seen as optional. For whatever reason, the automatic updater and the download page see 34.0 and 34.0.5 as equivalent. The only way to upgrade from 34.0 to 34.0.5 is to download 34.0.5 from the ‘Download a fresh copy‘ page and install it on top of version 34.0.

Update 2014Dec08: Since the only difference between 34.0 and 34.0.5 is the default search provider, and that change only affects users in the US, it seems reasonable to assume that the Firefox download page (as well as Firefox’s self-updater) will only suggest 34.0.5 if you are in the US. My own tests were inconclusive.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.