How to Keep WordPress Secure

A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.

Source:
http://wordpress.org/development/2009/09/keep-wordpress-secure/

Posted in Internet, Privacy, Security | No Comments

Kernel 2.6.31 To Speed Up Linux Desktop

Dan Jones writes “As the Linux community looks forward to another kernel release, the kernel hackers have been working on improving the memory management so that the X desktop responsiveness is doubled under high memory pressure. The result is an improved desktop experience. Benchmarks on memory-tight desktops show clock time and major faults reduced by 50 per cent, and pswpin numbers (memory reads from disk) are reduced to about one-third. Another improvement coming with 2.6.31 is kernel mode-setting support for ATI Radeon graphics cards, enabling faster user switching and a more seamless startup experience. Peripheral developments that will also improve the Linux desktop experience include support for the new USB 3.0 specification and a new Firewire stack. Even minor Linux releases have heaps of new features these days!”

Source:
http://linux.slashdot.org/story/09/09/05/161230/Kernel-2631-To-Speed-Up-Linux-Desktop?from=rss

Posted in Linux | No Comments

Microsoft Warns IIS Vulnerability Is Under Attack

Microsoft officials are reporting limited attacks targeting a zero-day vulnerability in the FTP service in Internet Information Services.

The IIS vulnerability warning follows the release of new exploit code that can be used to create a DoS (denial of service) condition on Windows XP and Windows Server 2003 without requiring Write access. Also, a new proof of concept allowing a DoS was disclosed Sept. 2 that affects FTP 6, which shipped with Windows Vista and Windows Server 2008.

Microsoft first issued an advisory on the bug Sept. 1, a day after exploit code for the vulnerability was posted on Milw0rm. In addition to a DoS, if the bug is successfully exploited it can allow remotely authenticated users to execute arbitrary code via a crafted NLST command that uses wildcards.

“An attacker with access to FTP Service could use this vulnerability to cause a stack-based overrun that could allow execution of arbitrary code in the context of the LocalSystem account on systems running IIS 5.0, or denial of service on affected systems running IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0,” Microsoft warned. “In configurations of FTP Service where anonymous authentication is allowed, the attacker need not be authenticated for exploitation to occur.”

Source:
http://www.eweek.com/c/a/Security/Microsoft-Warns-IIS-Vulnerability-Under-Attack-889690/?kc=rss

Posted in Internet, Security, Windows | No Comments

Microsoft To Release Five Critical Patches Tuesday

Microsoft will roll out a total of five critical patches for numerous versions of Windows operating systems in its upcoming September “Patch Tuesday” security update release, according to a Microsoft Advanced Notification bulletin posted Thursday.

All five patches plug holes that allow remote code execution, indicating that hackers could remotely exploit the vulnerabilities by launching malicious code to infiltrate users’ PCs. Hackers often execute information-stealing malware for identity-theft activities, typically enticing users to click on infected links or visit a malicious site through some kind of social engineering scheme.

Of the five critical patches Microsoft plans to release, two require mandatory restarts, which is anticipated to cause some level of enterprise disruption, experts said.

Altogether, the patches target several versions of Windows, including Windows 2000, XP and Vista, as well as all three of Microsoft’s server platforms 2000, 2003 and 2008. However, security experts speculate on whether the current critical patch load will also include fixes for Windows 7, scheduled for release Oct. 22, in light of the fact that the soon-to-be-released operating system shares a significant amount of code with Windows Vista.

Source:
http://www.crn.com/security/219501306;jsessionid=4MRUFOZFGSBKXQE1GHOSKHWATMY32JVN

Posted in Internet, Privacy, Security, Software, Windows | No Comments

Mozilla Expands on Plugin Protection Plans

Mozilla has expanded on the plans they acknowledged yesterday to check the version of Flash you are running to make sure that it’s not outdated.

In a comment in that same blog, in response to a question I asked, Mozilla’s Director of Evangelism Christopher Blizzard added a few more points:

• They will have a regular page where you can go to check the state of other plugins. This will happen some time this month.
• Firefox 3.6 will check for newer versions of plugins just as current versions check for newer versions of Firefox and extensions. If it sees one that’s out of date you’ll be sent to the appropriate page to update.
• They’re going to try to get the plugin service that they currently use for installations to upgrade plugins as well.
• They’re considering using Adobe’s Express Install system, which can update flash from the flash plugin without having to use a separate installer.

Source:
http://blogs.pcmag.com/securitywatch/2009/09/mozilla_expands_on_plugin_prot.php

Posted in Internet, Security | No Comments