Fifteen disclosures over the last two weeks, with eleven issues unfixed.
I hope everyone in the State’s had a great Thanksgiving last week. Many of you this week, hopefully, are attending WordCamp US in beautiful Nashville. If you are, please be sure to say “hello” to our colleagues from Vanderbilt who run a massive, and quite impressive, WordPress instance.
WordPress Security News
Earlier this week, WordPress version 4.9.1 was released. In addition to being a maintenance release correcting eleven bugs, 4.9.1 addresses four security issues, so you are strongly encouraged to get the updates scheduled into your Change Management cycle as soon as possible.
Tide, a project started here at XWP and supported by Google, Automattic, and WP Engine, aims to equip WordPress users and developers to make better decisions about the plugins and themes they install and build.
Comments from some of the XWP employees in the WPTavern story indicated they will be using the WordPress Coding Standards rules for PHP_CodeSniffer to facilitate some of the testing. While I’m not 100% convinced of assigning a grade or star rating to the test results, I applaud any effort to add testing of submitted code to the repository. XWP plans to demonstrate Tide at WCUS this weekend and I look forward to hearing impressions from people who are able to demo it. I hope XWP is able to open up the service shortly so the community can work toward improving the code quality of submitted code.
Other Security News
Right before Thanksgiving, the OWASP foundation announced the release of the OWASP Top 10 2017 edition. Three new entries were added in this edition: A8-2017 Insecure Deserialization, A10-2017 Insufficient Logging and Monitoring, and A4-2017 XML External Entities (XXE). To make room for these new entries, A4-2103 Insecure Direct Object References and A7-2013 Missing Function Level Access Controls were merged into A5-2017 Broken Access Controls, and two were removed: A8-2013 Cross-Site Request Forgery and A10-2013 Unvalidated Redirects and Forwards. Cross-Site Scripting continues to be in the Top 10 but was moved from A3 in 2013 to A7 in the new list.
Last, if you are running macOS High Sierra, please be sure to apply update 2017-001 as it corrects a serious issue that, under certain conditions, allows anyone with physical access to the machine to login as root. Ars Technica has a good write-up on the issue.