MailPoet Newsletters Plugin For WordPress Vulnerable, Update Available

If you have responsibility for a corporate blog (or run your own) and it runs on WordPress and has a newsletter then I would suggest that you check how your newsletters are handled.

If you find that your blog relies upon MailPoet (a plugin that has been downloaded over 1.7 million times) then you need to be aware that a vulnerability was discovered yesterday which allows a hacker to upload just about anything to the affected site without any form of authentication being required.

Daniel Cid, CTO of Sucuri, gave the following warning in a blog post:

“If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.”

Sucuri researchers, who kept most of the technical details to themselves for obvious reasons, said that the vulnerability allows a potential attacker to do just about anything on his victim’s website, such as sending out spam, affecting other sites on the same shared host, acting as a lure for phishing attacks and hosting malware directly.

Cid explained that:

“The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.

However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.”

Cid goes on to say that the research team shared their findings with the plugin author a few weeks ago and, to their credit, they responded well and issued a new patched version (2.6.7) yesterday. Unfortunately, however, the author makes little mention of the security issue, bar one line in the changelog, so its quite likely that a large number of users may not be aware of the pressing need to install the latest version.

If you are using the MailPoet plugin then you should check now that you have the latest version installed.

If you don’t then you can navigate to your blog’s Dashboard.

From there, click on Plugins > Update Available and look for the MailPoet plugin. Directly underneath it you will see the option to ‘upgrade now’. Click on that and follow the instructions.

Alternatively, you can find the plugin via WordPress.org (click here), download the latest version and then follow the installation guide.

As ever, I would advise running a full backup of your site before making any changes such as updating core files or plugins and, if you don’t already have one, now would also be a good time to implement a regular backup schedule, just in case anything does ever go wrong in the future (WordPress is a popular target for attackers and this isn’t the first time that a noteworthy plugin has had issues lately).

List of the TOP 25 Most Dangerous Programming Errors Released

Earlier today the List of the Top 25 Most Dangerouse Programming Errors was released.  The list was compiled by a number of different organisations and coordinated by the SANS Institute

Criminals are now moving from attacking the infrastructure layer and moving to finding ways into systems by means of bugs in the applications sitting on top of the infrastructure.   In light of this change in tactics it is very important that if you are responsible for developing applications that you ensure that your code does not contain any of these errors.  If you are not responsible for developing applications then make sure this list get to those who are and that they pay heed to it.

SSL Certificates Vulnerable to Attack

The computer security community is abuzz with the news announced today by a team of security researchers at the 25th Chaos Communication Congress in Berlin.  The researchers were able to demonstrate how they were able to generate a fake Certificate Authority certificate and thereby allowing them to impersonate any secure website using SSL certificates.

The research is very interesting and the full paper is available here.  What I particularly liked is they used an array of 200 PS3 game consoles to break the certificate.

However, before we all panic and think that the Internet as we know it has come to an end, we should note that the attack has a number of limitations.  Firstly the attack is against the MD5 algorithm, which has known weaknesses since 2004.  Secondly the certificates broken were using sequential serial numbers.  Finally, the researchers have kept their methods to themselves to allow vendors time to address the issue.

Wired magazine has a good write up on the issue, while Rich Mogull has an excellent post on his blog as to why we should not panic with regards to this issue, as does the Security Uncorked blog.  The Errata Security Blog also highlights that not all certificates based on MD5 are vulnerable.  The SANS Internet Storm Center also has a good write up of the issue with a list of vendor statements regarding the status of their certificates.

You can also use this site to check what SSL certificates are being used by a site you are visiting.

Microsoft To Release Out Of Cycle Patch for IE Vulnerability

Microsoft has announced that it will release an out of band patch for the vulnerability in Internet Explorer as outlined in the Microsoft Security Advisory 961051.

The patch will be released on the 17th December 2008.

Microsoft will host two webcasts to address questions on the patch. The first is scheduled for 13:00 Pacific Time (US Canada) on the 17th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448Culture=en-US.

The second is scheduled for 11:00 AM Pacific Time (US Canada) on the 18th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449Culture=en-US

More details on this out of patch band are available at http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

I was interviewed about this vulnerability on this evening’s Last Word Show on Today FM by Matt Cooper.  A podcast of the show is available here, my piece is about 5 minutes in from the beginning. 

I found it interesting to see how today a security vulnerability is getting press attention, whereas a few years ago it would be computer viruses.  Have we moved on to realise that the threat landscape is changing?

Microsoft Warn of New Attacks Against MS08-067

Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability.  In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
 
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
 
More details are available on the Microsoft Malware Protection Center Blog at http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
 
If you have not yet applied this patch it is strongly recommended that you do.

Microsoft Release Critical Out-Of-Band Patch

Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle.  For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to. 

I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “

The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems.  This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way.  Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability. 

It is recommended that you patch your systems ASAP.  However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;

  1. A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
  2. Whatever solution is decided upon needs to be agreed to and signed off by senior management.
  3. An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
  4. Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
  5. Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
  6. Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
  7. Ensure that all Anti-Virus signatures and software is up to date.
  8. Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
  9. Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
  10. Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.

I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it.  It also may be worth keeping on high alert even after deploying the patch as;

  1. Other new vulnerabilities could still be found in this feature of Windows.
  2. Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.

More details are available from the Microsoft Security Response Center and also from the Internet Storm Center.  It is a pity that we do not have our own CERT here in Ireland to help coordinate a response to this issue and help Irish businesses better protect themselves.

Clickjack Proof Of Concept

Details of the much talked about Clickjack exploit are now available on Jerermiah Grossman’s blog, RSnakes blog and Adobe’s websiteJeremiah and RSnakewere meant to demonstrate clickjack at a recent conference but decided not to in order to give the vendors time to address the problem.  Given that this exploit can be used to remotely use a victim’s webcam and/or microphone the implications for stalking, industrial espionage or indeed national security highlight that the guys were right in waiting. 

Jeremiah and Rsnake should be commended on how they handled this issue and credit should also go to the Adobe PSIRT for their response to the problem.

More on the DNS Vulnerability

Since my post on this issue yesterday and also Andy Whelan’s post to the ISSA Ireland’s newslist, a number of people have come back to me offline with regards to the current status within the Irish Internet space.  It seems that a number of ISPs, 16 apparently, have not yet patched their DNS servers.  But the biggest challenge appears to be organisations ensuring that their DNS servers are patched.

Here is an excerpt from an email I recieved that highlights the challenges;

“we’re patched and we have been notifying our clients who have dns servers non-patched.  There is also a worldwide effort by “non-for-profit security organisations” to alert ISP abuse desks, although whether they act or the sysadmins act on the email is anyone’s guess.

There are 35 ISP in INEX (https://www.inex.ie/about/memberlist), a quick look through a “special list – as of 21/07/2008″ shows there were 16 ISPs with DNS servers in their range vulnerable.
The irish ISP’s have patched their main DNS servers, but the problem seems to be their clients who run their own DNS servers, have servers in hosting centres or rogue departmental servers hidden away the IT security teams don’t know about.”

More details are emerging of the nature of this problem (hat tip to Security4all) and active exploit tools are now being used.  So in short;

  • The criminals have a major opportunity to steal more money,
  • They have automated tools to achieve that goal
  • They will find vulnerable DNS servers
  • They will exploit those servers
  • If you have a vulnerable DNS server they will exploit it!

So to those 16 ISPs, patch your systems ASAP.  If your normal maintenance window is still a number of weeks away then consider using an emergency window instead.  Talk to your upstream ISPs and ensure they also patch their servers.

To those of you who manage or look after your own DNS servers you need to get the finger out and patch them.

Critical DNS Vulnerability Addressed

Various vendors have banded together to fix a critical DNS cache poisoning vulnerability.  The vulnerability was discovered by Dan Kaminsky six months ago and can enable criminals to conduct phishing scams by altering DNS records for legitimate sites to point to their phishing sites.  The Register has a good article on it and SiliconRepulbic.Com also cover it.  Details of the problem are available from US-CERT and The Internet Storm Center.

Dan Kaminsky’s own Blog goes into more detail on the issue and has an online checker so you can see if your DNS server is impacted.

Finally it is interesting to note that in other countries the response to this has been coordinated by their respective CERTs to ensure ISPs and others are aware of the issue and addressing it.  It will be interesting to see if the Irish Internet space can respond appropriately without our own CERT.

Firefox 3.0 – Hackers 1

Mozilla released the latest version of Firefox on June 17th amidst much fanfare and hype.  The major buzz about this release being the attempt by Firefox to break the Guinness Book of Records for the most downloads in a 24hr period for a single program. 

Well the launch has not gone so well for Firefox.  Firstly due to the number of people attempting to download the latest version (over 8 million) the site’s availability has been patchy at best.  But worse was to follow, within five hours of its release a security vulnerability affecting the latest version, and previous versions, were discovered.   Tipping Point have verified that the vulnerability is real using their Zero Day initiative.  The SANS Internet Storm Center and the Security4all blog provide more coverage on the issue.

For the browser that promotes itself as being more secure than Internet Explorer this is not the best of starts.