WordPress 4.5.2 Security Release
WordPress 4.5.2 Security Release
WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. Thanks to the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with us to coördinate and fix these issues.
Download WordPress 4.5.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.2.
Additionally, there are multiple widely publicized vulnerabilities in the ImageMagick image processing library, which is used by a number of hosts and is supported in WordPress. For our current response to these issues, see this post on the core development blog.
WordPress Redirect Hack via Test0.com/Default7.com
WordPress Redirect Hack via Test0.com/Default7.com
We’ve been working on a few WordPress sites with the same infection that randomly redirects visitors to malicious sites via the default7 .com / test0 .com / test246 .com domains. In this post, we’ll provide you with a review of this attack, investigated by our malware analyst, John Castro.
Header.php Injection
In all cases, the malware injects 10-12 lines of code at the top of the header.php file of the current WordPress theme:
Malicious injection in header.php
When decoded, you see this main part of the malware:
Decoded malware
The logic is simple. It redirects visitors to default7. com if it’s their first visit to this site after the infection, then it sets the 896diC9OFnqeAcKGN7fW cookie for one year to track returning visitors. If they are not search engine crawlers, it checks the user agent header.
For more information, read more here.
The Johns Hopkins Foreign Affairs Symposium Presents: The Price of Privacy: Re-Evaluating the NSA
The Johns Hopkins Foreign Affairs Symposium Presents: The Price of Privacy: Re-Evaluating the NSA
Encryption Technology and Law Enforcement Technology Testified
Encryption Technology and Law Enforcement Technology and law enforcement officials testified at a hearing on the use of encryption technology. In the law enforcement, witness Amy Hess argued that without access to encrypted data on smartphones and other devices, the FBI cannot investigate crimes to the best of their ability. Technology industry experts explained in the second panel that encryption is critical to U.S. national security, and there is no way to provide a back door to encrypted data without risking the privacy and security of everyone. Bruce Sewell, Apple’s senior vice president of legal and global security, denied claims that Apple supplied its source code to China, saying the company was asked but refused.
Should CIOs worry about the Internet of Hackable Things?
An interesting article by Jen A. Miller from CIO.com:
If 2015 was the year of the Internet of Things, 2016 could be the year of the hacked Internet of Things. That could mean a lot of headaches for CIOs, whether they’re fans of these new devices themselves or will be dealing with employees connecting them at work and managing the potential security exposure that brings.
“The issue to date is that devices are vulnerable just by the fact that they exist and can connect to the Internet,” says Jerry Irvine, member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and CIO of Prescient Solutions. “Anybody can get to a device if you don’t secure them properly.”
One of the reasons why it’s a big hacker target: It’s, well, big. Gartner estimates that 6.4 billion connected things will be in use by 2016, up 30 percent from last year. They also predict that 5.5 million new things will get connected every day.
That’s a lot of possible portals for bad players to get in.
Read the rest here.
IRS Issues Alert for Tax Phishing Scheme
The Internal Revenue Service (IRS) has issued a news release addressing a new spear phishing scheme targeting payroll and human resource professionals. In this scheme, cybercriminals pose as company executives requesting personal information on employees.
US-CERT encourages users and administrators to review the IRS news release for details and refer to US-CERT Security Tip ST15-001 for information on tax-themed phishing attacks.
