Ten disclosures over the last two weeks, with four issues unfixed.
I hope everyone had a wonderful and relaxing holiday break. Unfortunately, vulnerabilities and disclosures did not rest. Two critical situations were disclosed during that time: an Unauthenticated Arbitrary File Upload discovered in the LearnDash LMS plugin by NinTechNet, and the disclosure by WordFence that three plugins (Duplicate Page and Post, No Follow All External Links, and WP No External Links) contained backdoor code in current versions in the WordPress plugin repository, and appear to be aimed at injecting SEO spam into sites’ output. The WordPress plugin team have closed all three to new installs from the repository, and released a cleaned version of WP No External Links. If you are using any of these plugins, you should remove them immediately, and begin looking for a replacement.
As I mentioned in my last post, I firmly believe this situation will become ever more prevalent. As a site owner, once you have vetted a plugin and installed it on your site, you trust that future updates will also be safe. It is unfeasible to believe that the majority of site owners will re-evaluate a plugin’s code after every update. I know at the University of Missouri, we struggle to get apps re-evaluated every 6 months, let alone every time there’s a new update to a dependency (plugin) in a site. While I know that the openness of the WordPress plugin/theme repository has definitely assisted in propelling WordPress to its current market share, with that power, comes responsibility. As a community, we need to begin to balance the openness of the repository with the responsibility of protecting its users.
Other Security News
The GIGANTIC news this week was the disclosure on January 3rd by the Project Zero team at Google of vulnerabilities in processors (dubbed Meltdown and Spectre) from Intel, AMD, and ARM dating all the way back to 1995. Essentially, every device that contains a CPU from the last two decades is susceptible. In addition, it is theoretically possible for these attacks to occur through a website. Operating Systems can, and will be introducing patches over the coming days to mitigate the risk. As you are notified of these patches, please update immediately. The Register was the first news outlet to break the story and has an excellent write-up covering these vulnerabilities in more detail.
As site owners, we need to make sure that our hosting partners have updated the underlying operating systems our sites run on. Many of the major hosting providers have already patched, or announced upcoming patches to protect against these vulnerabilities. If you have not heard from your hosting provider, you should definitely contact them and ask when they plan to apply updates.
Since it is possible for these attacks to occur online, what can you do to protect yourself until your OS is patched? Both Google Chrome and Firefox are vulnerable currently, with Google planning to release a fix in version 64 of Chrome, due out January 23rd. In the meantime, you can enable Site Isolation in Chrome by navigating to
in the address bar of Chrome and clicking Enable. You will then need to relaunch Chrome. For FireFox, they have released partial fixes in version 57.0.4 with additional fixes to be released on January 23rd. Beyond that, the normal precautions should be taken: only install apps (including those on your phones/tablets) from known, safe sources; don’t click on links in emails, sms text messages, online message boards, etc. that are from people you don’t know, or in situations where you weren’t expecting them; and apply updates for all of your devices as soon as they are available.