Alerts

OS X v10.10.2 - Security Update 2015-001, Safari 8.0.3... iOS 8.1.3, Apple TV 7.0.3

FYI...

OS X v10.10.2 and Security Update 2015-001
- http://support.apple.com/en-us/HT204244
Jan 27, 2015
> AFP Server, bash, Bluetooth, CFNetwork Cache, CoreGraphics, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, FontParser, Foundation, Intel Graphics Driver, IOAcceleratorFamily, IOHIDFamily, IOKit, IOUSBFamily, Kernel, LaunchServices, libnetcore, LoginWindow, lukemftp, OpenSSL, Sandbox, SceneKit, Security, security_taskgate, Spotlight, SpotlightIndex, sysmond, UserAccountUpdater
(More detail at the URL above.)
> http://www.securitytracker.com/id/1031650

Safari 8.0.3, 7.1.3, 6.2.3 released
- http://support.apple.com/en-us/HT204243
Jan 27, 2015
> Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1
CVE-2014-3192, CVE-2014-4476, CVE-2014-4477, CVE-2014-4479
> http://www.securitytracker.com/id/1031647

iOS 8.1.3
- http://support.apple.com/en-us/HT204245
Jan 27, 2015
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
> AppleFileConduit, CoreGraphics, dyld, FontParser, Foundation, IOAcceleratorFamily, IOHIDFamily, iTunes Store, Kernel, libnetcore, MobileInstallation, Springboard, WebKit
(More detail at the URL above.)
> http://www.securitytracker.com/id/1031652

Apple TV 7.0.3
- http://support.apple.com/en-us/HT204246
Jan 27, 2015
> Available for: Apple TV 3rd generation and later
(More detail at the URL above.)
> http://www.securitytracker.com/id/1031651

> http://support.apple.com/en-us/HT1222

:fear::fear:
 
Last edited:
Thunderbird 31.5 released

FYI...

Thunderbird 31.5 released
- https://www.mozilla.org/en-US/thunderbird/31.5.0/releasenotes/
Feb 24, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.5
Fixed in Thunderbird 31.5
2015-24 Reading of local files through manipulation of form autocomplete
2015-19 Out-of-bounds read and write while rendering SVG content
2015-16 Use-after-free in IndexedDB
2015-12 Invoking Mozilla updater will load locally stored DLL files
2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/en-US/thunderbird/all.html
___

- http://www.securitytracker.com/id/1031792
CVE Reference: CVE-2015-0822, CVE-2015-0827, CVE-2015-0831, CVE-2015-0833, CVE-2015-0835, CVE-2015-0836
Feb 24 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.5 ...

:fear:
 
Adblock Plus 1.8.11 for Chrome, Opera and Safari released

FYI...

Adblock Plus 1.8.11 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-1811-for-chrome-opera-and-safari-released
2015-02-24
Changes:
Improved the icon and logo (issue 1535 and issue 1989).
Fixed: Filters with internationalized domains didn’t match (issue 1801).
Fixed: On the options page, input was submitted even if the wrong button was pressed (issue 1448).
Fixed some issues with the “Block element” dialog.
Fixed: Overlays were sometimes covered by other elements (issue 1857).
Fixed: Matching elements weren’t highlighted sometimes (issue 1864).
Fixed: Mouse events handled by the page could prevent the dialog from showing up (issue 1665).
Fixed: Dialog wasn’t completely visible when selecting elements inside small frames (issue 350).
Fixed several issues related to framesets (issue 1867, issue 1870 and issue 1082).
Fixed issues caused by selecting SVG elements (issue 1856).
Fixed: Images weren’t recognized when using image maps (issue 1868).
Fixed a memory leak when routing messages across frames (issue 1840).

Chrome/Opera-only changes:
Fixed: Icon and badge didn’t update for pre-rendered tabs (issue 1976).
Fixed issue with third-party pages loaded in anonymous frames (issue 1977).
Fixed: CSS selectors containing commas partially broke element hiding (issue 1802).
Fixed: “Block element” dialog and highlighted elements were staying visible after the extension is unloaded (issue 1843).

Safari-only changes:
Fixed an issue that broke the user interface for some languages (issue 2008).

(Install links at the adblockplus URL above.)

:fear:
 
Adblock Plus 1.4 for IE released

FYI...

Adblock Plus 1.4 for IE released
- https://adblockplus.org/releases/adblock-plus-14-for-ie-released
2015-02-26
We are updating Adblock Plus for IE with version 1.4.

... list of all improvements since version 1.3.

New in this release: the addition of the installer for Active Directory installs, which we really hope network administrators would appreciate.
There’s a x64-bit and x86-bit variant of the GPO installer.
Also, this version is the first version that will perform queries for notifications like all other ABP versions.

> https://downloads.adblockplus.org/devbuilds/adblockplus/00latest.changelog.xhtml

:fear:
 
Last edited:
AdblockPlus 1.3 for Android

FYI...

AdblockPlus 1.3 for Android
- https://adblockplus.org/releases/adblock-plus-13-for-android-released
2015-03-03
If you already have Adblock Plus for Android, it should notify you about the update shortly and download it automatically.

We did a lot of under-the-hood changes again, rewrote the way libadblockplus is integrated (#16) and cleaned up the different methods for setting the proxy and deciding which method to use (#547).
Besides that we:
improved compatibility with Android Lollipop (#1498, #1848)
reduced the memory usage (#303)
included twelve new translations
and, of course, fixed a lot of various minor and major issues...

(Install links at the adblockplus URL above.)

:fear:
 
Apple Security Updates

FYI...

Apple Security Update 2015-002
- https://support.apple.com/en-us/HT204413
Mar 9, 2015
- http://www.securitytracker.com/id/1031869
CVE Reference: CVE-2015-1066
Mar 10 2015
Impact: Root access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10.2...

iOS 8.2 released
- https://support.apple.com/en-us/HT204423
Mar 9, 2015
- http://www.securitytracker.com/id/1031868
CVE Reference: CVE-2015-1061, CVE-2015-1065
Mar 10 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10.2 ...
- https://lists.apple.com/archives/security-announce/2015/Mar/msg00000.html

Apple TV 7.1
- https://support.apple.com/en-us/HT204426
Mar 9, 2015

Xcode 6.2
- https://support.apple.com/en-us/HT204427
Mar 9, 2015

- https://support.apple.com/en-us/HT1222

- https://isc.sans.edu/diary.html?storyid=19443
Last Updated: 2015-03-10 - "... Apple also addressed a number of security vulnerabilities, most notably the "Freak" vulnerability. After updating, the affected operating systems no longer support export quality ciphers. However, Apple browsers continue to support SSLv3 and as a result, continue to be vulnerable to POODLE*...
* http://www.poodletest.com/
Quick Summary of the security content of Apple's updates:
- XCode 6.2: This update addresses 4 vulnerabilities in subversion and 1 in git.
- OS X: 5 vulnerabilities. The most serious of which is likely a code execution vulnerability in Keychain.
- Apple TV: 3 vulnerabilities. One of which would allow an attacker to write files to the system if the user mounts a corrupt disk image.
- iOS: 6 vulnerabilities. In addition to FREAK and the above mentioned Keychain problem, a vulnerability that allows an attacker with physical access to the device to see the home screen on a locked devices is patched..."

- https://www.us-cert.gov/ncas/curren...leases-Security-Updates-OS-X-iOS-and-Apple-TV
Mar 9, 2015

:fear::fear:
 
Last edited:
Adblock Plus 2.6.8 for Firefox ...

FYI...

Adblock Plus 2.6.8 for Firefox released
- https://adblockplus.org/releases/adblock-plus-268-for-firefox-released
2015-03-10 - "This release features the improved icon and logo that are already being used in Chrome, Opera and Safari (issue 1534, issue 2053, issue 2072). It also fixes an issue with the search functionality in the Filter Preferences affecting Firefox 36 and above (issue 2041)..."

:fear:
 
Blind SQL Injection against WordPress SEO

FYI...

Blind SQL Injection against WordPress SEO
- https://isc.sans.edu/diary.html?storyid=19457
2015-03-13 - "WordPress has released an advisory for the WordPress plugin SEO by Yoast. Version up to and including 1.7.3.3 can be exploited with a blind SQL injection. According to WordPress, this plugin has more than one million downloads. A description of the SQL injection with proof of concept is described here[3] and the latest update is available here[2]."

1] https://wordpress.org/plugins/wordpress-seo/
2] https://downloads.wordpress.org/plugin/wordpress-seo.1.7.4.zip
3] https://wpvulndb.com/vulnerabilities/7841

:fear::fear:
 
Safari 8.0.4, 7.1.4, 6.2.4

FYI...

Safari 8.0.4, 7.1.4, 6.2.4 released
- https://support.apple.com/en-us/HT204560
Mar 17, 2015
- https://lists.apple.com/archives/security-announce/2015/Mar/msg00004.html

- https://support.apple.com/en-us/HT1222

- http://www.securitytracker.com/id/1031936
CVE Reference: CVE-2015-1068, CVE-2015-1069, CVE-2015-1070, CVE-2015-1071, CVE-2015-1072, CVE-2015-1073, CVE-2015-1074, CVE-2015-1075, CVE-2015-1076, CVE-2015-1077, CVE-2015-1078, CVE-2015-1079, CVE-2015-1080, CVE-2015-1081, CVE-2015-1082, CVE-2015-1083, CVE-2015-1084
Mar 17 2015
Impact: Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes...
Solution: The vendor has issued a fix (6.2.4, 7.1.4, 8.0.4).
___

- https://www.us-cert.gov/ncas/current-activity/2015/03/18/Apple-Releases-Security-Updates-Safari
March 18, 2015 - "... Updates include:
Safari 8.0.4 for OS X Mountain Lion v10.8.5
Safari 7.1.4 for OS X Mavericks v10.9.5
Safari 6.2.4 for OS X Yosemite v10.10.2
US-CERT encourages users and administrators to review Apple security update HT204560 ..."

:fear:
 
Last edited:
Last edited:
Android vuln/update

FYI...

Installer Hijacking Vulnerability in Android Devices
- https://www.us-cert.gov/ncas/curren...aller-Hijacking-Vulnerability-Android-Devices
March 24, 2015 - "A vulnerability in Google's Android OS* has been discovered that could allow an attacker to change or replace a seemingly safe Android application with -malware- during installation. An attacker exploiting this vulnerability could access and steal user data on compromised devices without user knowledge. Devices running Android version 4.4 or later are -not- vulnerable. US-CERT advises users to ensure their devices are running an up-to-date version of Android and to use caution when installing software from third-party app stores."
* http://researchcenter.paloaltonetwo...bility-could-expose-android-users-to-malware/
March 24, 2015 - "Executive Summary: We discovered a widespread vulnerability in Google’s Android OS we are calling 'Android Installer Hijacking', estimated to impact 49.5 percent of all -current- Android users.
In detail: Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores. The malicious application can gain full access to a compromised device, including usernames, passwords, and sensitive data. Palo Alto Networks worked with Google and major manufacturers such as Samsung and Amazon to inform them of the vulnerability and issue patches for their devices..."
____

- https://developer.android.com/about/dashboards/index.html
Data collected during a 7-day period ending on March 2, 2015
___

Backup Tool
> https://play.google.com/store/apps/details?id=com.backup.jl
Jan 15, 2015

How to Update an Android
> http://www.wikihow.com/Update-an-Android

How to update an Android OS
> http://www.ehow.com/how_6855334_update-android-os.html

> https://www.android.com/intl/en_us/phones/#tips
"*Instructions are tailored to most Android phones; however should these instructions not work for your device, please contact your manufacturer’s customer support..."

> https://www.android.com/intl/en_us/history/
___

Half of Android devices may be vulnerable to surreptitious install exploits
- http://arstechnica.com/security/201...allow-attaclers-to-install-password-stealers/
Mar 25, 2015 - "... Time-of-check to time-of-use vulnerability*..."
* https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use

:fear::fear:
 
Last edited:
WordPress malware causes Psuedo-Darkleech Infection

FYI...

WordPress malware causes Psuedo-Darkleech Infection
- http://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html
March 26, 2015 - "Darkleech* is a nasty malware infection that infects web servers at the root level. It uses malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are -not- logged in, and the iFrame is only injected once-a-day (or once a week in some versions) per IP address. This means that the infection symptoms are not easy to reproduce. Since it’s a server-level infection, even the most thorough website-level scans won’t reveal anything. And even when the culprit is identified, website owners may not be able to resolve the issue without help of a server administrator. Despite the detection difficulties, it was quite easy to tell that the server was infected with Darkleech when we saw the malicious code — it has followed the same recognizable pattern since 2012:
- Declaration of a CSS class with a random name and random negative absolute position
- A div of that class
- A malicious iFrame with random dimensions inside that div ..."
(More detail at the sucuri URL above.)
* http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.html

> https://wordpress.org/plugins/sucuri-scanner/
WordPress Security plugin - Version 1.7.8
Last Updated: 2015-3-29
Active Installs: 100,000+
___

Current WordPress version 4.1.1
- https://wordpress.org/news/2015/02/wordpress-4-1-1/
Feb 18, 2015

:fear::fear:
 
Thunderbird 31.6 released

FYI...

Thunderbird 31.6 released
- https://www.mozilla.org/en-US/thunderbird/31.6.0/releasenotes/
March 31, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.6
Fixed in Thunderbird 31.6
2015-40 Same-origin bypass through anchor navigation
2015-37 CORS requests should not follow 30x redirections after preflight
2015-33 resource:// documents can load privileged pages
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/en-US/thunderbird/all.html
___

- http://www.securitytracker.com/id/1032000
CVE Reference: CVE-2015-0801, CVE-2015-0807, CVE-2015-0813, CVE-2015-0814, CVE-2015-0815, CVE-2015-0816
Apr 1 2015
Impact: Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.6...

:fear:
 
Last edited:
Adblock Plus 2.6.9 for Firefox

FYI...

Adblock Plus 2.6.9 for Firefox released
- https://adblockplus.org/releases/adblock-plus-269-for-firefox-released
2015-03-31 - "This is another quality and stability release:
• Slightly optimized performance, domain-specific filters will no longer affect overall performance (issue 2177).
• Added extensions.adblockplus.suppress_first_run_page preference to allow administrators disable the first-run page if Adblock Plus is installed globally (issue 206). Note that additional changes are required to make this preference usable.
• Fixed: $elemhide filter option doesn’t consider website signatures correctly (issue 2151)..."

In Firefox: >Tools >Addons >Check for updates

:fear:
 
Apple Security Update 2015-004, Safari 8.0.5-7.1.5-6.2.5, iOS 8.3, Apple TV 7.2...

FYI...

Security Update 2015-004 - OS X Yosemite v10.10.3
- https://support.apple.com/en-us/HT204659
Apr 8, 2015
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
- http://www.securitytracker.com/id/1032048
CVE Reference: CVE-2015-1088, CVE-2015-1089, CVE-2015-1091, CVE-2015-1093, CVE-2015-1095, CVE-2015-1096, CVE-2015-1098, CVE-2015-1099, CVE-2015-1100, CVE-2015-1101, CVE-2015-1102, CVE-2015-1103, CVE-2015-1104, CVE-2015-1105, CVE-2015-1117, CVE-2015-1118, CVE-2015-1130, CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, CVE-2015-1135, CVE-2015-1136, CVE-2015-1137, CVE-2015-1138, CVE-2015-1139, CVE-2015-1140, CVE-2015-1141, CVE-2015-1142, CVE-2015-1143, CVE-2015-1144, CVE-2015-1145, CVE-2015-1146, CVE-2015-1147, CVE-2015-1148
Apr 8 2015

Safari 8.0.5, 7.1.5, 6.2.5
- https://support.apple.com/en-us/HT204658
Apr 8, 2015 - "Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2..."
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00000.html
- http://www.securitytracker.com/id/1032047
CVE Reference: CVE-2015-1112, CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1124, CVE-2015-1126, CVE-2015-1127, CVE-2015-1128, CVE-2015-1129
Apr 8 2015

iOS 8.3
- https://support.apple.com/en-us/HT204661
Apr 8, 2015 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00002.html
- http://www.securitytracker.com/id/1032050
CVE Reference: CVE-2015-1085, CVE-2015-1086, CVE-2015-1087, CVE-2015-1090, CVE-2015-1092, CVE-2015-1094, CVE-2015-1097, CVE-2015-1106, CVE-2015-1107, CVE-2015-1108, CVE-2015-1109, CVE-2015-1110, CVE-2015-1111, CVE-2015-1113, CVE-2015-1114, CVE-2015-1115, CVE-2015-1116, CVE-2015-1123, CVE-2015-1125
Apr 9 2015

Apple TV 7.2
- https://support.apple.com/en-us/HT204662
Apr 8, 2015
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00003.html

Xcode 6.3
- https://support.apple.com/kb/HT204663
Apr 8, 2015 - "Available for: OS X Mavericks v10.9.4 or later..."
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00004.html
- http://www.securitytracker.com/id/1032049
CVE Reference: CVE-2015-1149
Apr 9 2015

- https://support.apple.com/en-us/HT201222
___

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1118
Last revised: 04/10/2015 - "... Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (memory corruption and application crash) via a crafted configuration profile..."
> http://www.theregister.co.uk/2015/04/10/apple_phantom_attack_ios_fix/
10 Apr 2015

:fear::fear:
 
Last edited:
Do Not Track is dead.

M$ rolls back commitment to Do Not Track

- http://www.networkworld.com/article...ft-rolls-back-commitment-to-do-not-track.html
Apr 3, 2015 - "Microsoft today rolled back its commitment to the nearly-dead "Do Not Track" (DNT) standard, saying that it would no longer automatically switch on the signal in its browsers. "DNT will not be the default state in Windows Express Settings moving forward, but we will provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so," said Brendon Lynch, the firm's chief privacy officer, in a blog post* Friday. "Windows Express" is Microsoft's label for the setup process after first turning on a new PC or after the installation of an upgrade. Do Not Track signals whether a user wants online advertisers and websites to track his or her movements, and was modeled after the Do Not Call list that telemarketers are supposed to abide by. All five major browsers -- Chrome, Firefox, Internet Explorer (IE), Opera and Safari -- can send a DNT request. "This change will apply when customers set up a new PC for the first time, as well as when they upgrade from a previous version of Windows or Internet Explorer," added Lynch.
His comments implied that when users of Windows 7, 8 and 8.1 upgrade to Windows 10 later this year, the DNT setting in IE11 and Project Spartan -- the new browser that will be named the default -- will be left as off. Lynch cited new emphasis in the DNT standard for the change... Previously, Microsoft had been adamant about automatically enabling DNT, a decision it made in mid-2012 as it developed IE10, the browser bundled with the then-impending Windows 8 and its offshoot, Windows RT. IE10 was also offered to Windows 7 users. At the time, Lynch made clear Microsoft's position. "We believe turning on Do Not Track by default in IE10 on Windows 8 is an important step in this process of establishing privacy by default, putting consumers in control and building trust online," Lynch said in late May 2012. Even then, the words "choice" and "deliberate" were being bandied about, with many, including the advertising industry, arguing that users had to explicitly choose DNT, and that an automatic setting of "on" should not be allowed... Even then, ad industry lobbying groups howled, calling Microsoft's DNT moves "unacceptable" and arguing that IE's setting would "harm consumers, hurt competition, and undermine American innovation." Today's decision may have been a reversal of Microsoft's former position -- the latter fueled, analysts said, by the company's desire to take the privacy high ground to differentiate IE from rivals like Google's Chrome -- but it was largely moot. DNT has been in tatters for years, progress stymied by the inability of the various parties, particularly privacy advocates and the ad industry, to reach agreement. Not surprisingly, each has called the other obstinate, or worse. The fact is that only a handful of websites honor the DNT signal. DoNotTrack.us, for instance, lists just 21, with Twitter and Pinterest the biggest names. Today, Lynch tried to characterize the change as conforming with its previous position, rather than a surrender. "We said in 2012 that browser vendors should clearly communicate to consumers whether the DNT signal is turned off or on, and make it easy for them to change the setting," he wrote. "We did that for IE10 and IE11. And we're continuing to do so with future versions of our browsers."
* http://blogs.microsoft.com/on-the-i...pdate-on-microsofts-approach-to-do-not-track/
Brendon Lynch
Chief Privacy Officer, Microsoft

> http://donottrack.us/
___

Tracking Protection in Firefox
> https://support.mozilla.org/en-US/kb/tracking-protection-firefox

Privacy Badger:
- https://www.eff.org/privacybadger#what_is_privacy_badger
[Beta]

:fear: :blink:
 
Last edited:
WordPress 4.1.2 released

FYI...

WordPress 4.1.2 released
- https://wordpress.org/news/
April 21, 2015 - "WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site... We also fixed three other security issues..."

- https://wordpress.org/news/2015/04/wordpress-4-1-2/

Download
- https://wordpress.org/download/

- https://codex.wordpress.org/Version_4.1.2
April 21, 2015
• A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
• Files with invalid or unsafe names could be uploaded.
• Some plugins are vulnerable to an SQL injection attack.
• A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
• Four hardening changes, including better validation of post titles within the Dashboard.

- https://www.us-cert.gov/ncas/current-activity/2015/04/23/WordPress-Releases-Security-Update
April 23, 2015
___

- http://www.securitytracker.com/id/1032199
Apr 27 2015
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included: Yes
Version(s): 4.1.1, 4.1.2, and 4.2 (and prior)...
The original advisory is available at:
- http://klikki.fi/adv/wordpress2.html
Description: ... A remote user can conduct cross-site scripting attacks.
Solution: No solution was available at the time of this entry...

- https://www.exploit-db.com/exploits/36805/
2015-01-07
"Recommendation: The author has provided a fixed plugin version which should be installed
immediately.
product: WordPress Community Events Plugin
vulnerable version: 1.3.5 (and probably below)
fixed version: 1.4
CVE number: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3313
impact: CVSS Base Score 7.5 ...
homepage: https://wordpress.org/plugins/community-events/
___

WordPress Under Attack As Double Zero-Day Trouble Lands
- http://www.forbes.com/sites/thomasbrewster/2015/04/27/wordpress-zero-day-exploits/
4/27/2015 - "... The most pressing issue is a fresh zero-day, a previously unknown and unpatched weakness, affecting the latest version of WordPress, 4.2, and prior iterations, as revealed by Finnish company Klikki Oy yesterday. It released a video and proof of concept code for an exploit of the flaw, which allows a hacker to store malicious JavaScript code on WordPress site comments. Under normal circumstances, this should be blocked as it could be abused to send visitors’ usernames and passwords to a hacker’s site – what’s known as a cross-site scripting attack. All that’s required is for a user’s browser to parse the code when they land on the affected site... users should take all precautions necessary."

:fear::fear:
 
Last edited:
WordPress 4.2.1 - Security Release

FYI...

WordPress 4.2.1 - Security Release
- https://wordpress.org/news/
April 27, 2015 - "WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately... the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site...
WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
For more information, see the release notes* or consult the list of changes**..."

* https://codex.wordpress.org/Version_4.2.1

** https://core.trac.wordpress.org/log/branches/4.2?rev=32311&stop_rev=32300

Download
- https://wordpress.org/download/
___

- https://www.us-cert.gov/ncas/current-activity/2015/04/27/WordPress-Releases-Security-Update
April 27, 2015

- http://arstechnica.com/security/201...makes-it-easy-to-hijack-millions-of-websites/
Apr 27, 2015

- http://blog.trendmicro.com/trendlab...ites-at-risk-trend-micro-solutions-available/
April 29, 2015 - "... We urge site administrators to upgrade their versions of WordPress to the latest version (4.2.1), which fixes these vulnerabilities. This can usually be easily done via the WordPress dashboard..."

:fear::fear:
 
Last edited:
WordPress 4.2.2 Security and Maintenance Release

FYI...

WordPress 4.2.2 Security and Maintenance Release
- https://wordpress.org/news/2015/05/wordpress-4-2-2/
May 7, 2015 - "WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
> The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it...
> WordPress versions 4.2 and earlier are affected by a -critical- cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue...
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor... WordPress 4.2.2 also contains fixes for -13- bugs from 4.2...

Release notes:
- https://codex.wordpress.org/Version_4.2.2

Download:
- https://wordpress.org/download/
... or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
___

- https://www.us-cert.gov/ncas/current-activity/2015/05/07/WordPress-Security-and-Maintenance-Release
May 07, 2015
___

- http://www.theinquirer.net/inquirer...millions-of-users-vulnerable-to-hackers-again
May 8 2015 - "... The two culprits are JetPack, a customisation and performance tool with one million active installations, and TwentyFifteen, a theme designed to enable infinite scrolling that is installed into new WordPress sites as a default. A Document Object Model (DOM)-based cross-site scripting (XSS) flaw has made the plugins vulnerable to hackers, and could affect millions of WordPress users. The attack payload is executed as a result of modifying the DOM environment in a victim's browser used by the original client side script, so that the client side code runs in an unexpected way. Security firm Securi* found that the flaw in the two plugins is the result of an insecure file included with genericons, which are vector icons embedded in a web font..."
* https://blog.sucuri.net/2015/05/jet...ulnerable-to-dom-based-xss.html#disqus_thread
May 6, 2015

:fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top