Last week WordPress released Vulnerability-related.PatchVulnerability the newest version ( 4.7.2 ) of the popular CMS , ostensibly fixing Vulnerability-related.PatchVulnerability three security issues affecting versions 4.7.1 and earlier . What the WordPress team didn ’ t share at that time is that the update also secretly fixes Vulnerability-related.PatchVulnerability a bug that allows unauthenticated users to modify the content of any post or page within a WordPress site . The vulnerability was discovered Vulnerability-related.DiscoverVulnerability by Sucuri researcher Marc-Alexandre Montpas and responsibly disclosed Vulnerability-related.DiscoverVulnerability to the WordPress security team on January 20 . A fix was soon created Vulnerability-related.PatchVulnerability , tested , and included in the security update pushed out Vulnerability-related.PatchVulnerability on January 26 . The team reached out to makers of web application firewalls ( WAFs ) like SiteLock , Cloudflare , and Incapsula to help them create rules that would block exploitation attempts . WordPress hosts have also been privately told Vulnerability-related.DiscoverVulnerability of the flaw , and they quietly moved to protect their users . “ By Wednesday afternoon , most of the hosts we worked with had protections in place . Data from all four WAFs [ this includes Sucuri ’ s ] and WordPress hosts showed Vulnerability-related.DiscoverVulnerability no indication that the vulnerability had been exploited Vulnerability-related.DiscoverVulnerability in the wild , ” the WP security team disclosed Vulnerability-related.DiscoverVulnerability on Wednesday . “ As a result , we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public ” . Within a couple of hours of the release of the update Vulnerability-related.PatchVulnerability , WordPress users who have opted for the automatic WP update option had the WP 4.7.2 installed and were protected . The unauthenticated privilege escalation vulnerability in question affects Vulnerability-related.DiscoverVulnerability the REST API , which was added and enabled by default on WordPress 4.7.0

A handful of worrisome vulnerabilities in Honeywell building automation system software disclosed Vulnerability-related.DiscoverVulnerability last week are case in point of how far the industry continues to lag in securing SCADA and industrial control systems . Honeywell published in September new firmware that patches Vulnerability-related.PatchVulnerability vulnerabilities privately disclosed Vulnerability-related.DiscoverVulnerability by researcher Maxim Rupp in its XL Web II controllers . The flaws could give an attacker the ability to access relatively unprotected credentials and use those to manipulate , for example , environmental controls inside a building . While these aren ’ t critical infrastructure systems such as wastewater , energy or manufacturing , building automation system hacks can be expensive to remedy , and in a worst-case scenario , afford an attacker the ability to pivot to a corporate network . Experts told Threatpost that building automation systems can be used to remotely manage heating , air conditioning , water , lighting and door security , and help reduce building operations costs . They ’ re also popping up as more and more buildings go green ; such systems , for example , are crucial to Leadership in Energy and Environmental Design ( LEED ) certification from the United States Green Building Council . “ The main risk from this is a super simple method of accessing building system HMIs , whether for mischief or maybe even ransom . Controllers like this provide an easy interface to operating the entire building system , no additional programming knowledge or protocol expertise required , ” said Michael Toecker of Context Information Security . Unless very poorly designed , a user can ’ t damage equipment from the HMI , but they can make the building inhospitable , inefficient , and expensive to fix ” . The Industrial Control System Cyber Emergency Response Team ( ICS-CERT ) issued Vulnerability-related.DiscoverVulnerability an advisory last Thursday warning Vulnerability-related.DiscoverVulnerability of five vulnerabilities in the Honeywell XL1000C500 XLWebExe-2-01-00 and prior , and XLWeb 500 XLWebExe-1-02-08 and prior . Four of the five are authentication-related Vulnerability-related.DiscoverVulnerability flaws , the most serious of which involved passwords either stored in clear text or reachable by accessing a particular URL . A user with low privileges could also open and change parameters via a URL , ICS-CERT said . Honeywell also patched Vulnerability-related.PatchVulnerability a session fixation vulnerability allowing an attacker to establish new users sessions without invalidating prior sessions , giving them access to authenticated sessions . It also patched Vulnerability-related.PatchVulnerability a path traversal bug that allowed attackers to carry out directory traversal attacks via a URL .

Popular security products such as anti-viruses and middleboxes put customers at risk through poor transport layer security ( TLS ) interception implementations , researchers have found Vulnerability-related.DiscoverVulnerability . A group of researchers from United States universities as well as tech companies Google , Mozilla , and Cloudflare tested middleboxes - which act as network proxies for traffic analysis and content filtering - from A10 , Blue Coat , Barracuda , CheckPoint , Cisco , Fortinet , Juniper , Microsoft , Sophos , Untangle , and WebTitan . All but the BlueCoat device weakened connection security and introduced Vulnerability-related.DiscoverVulnerability TLS vulnerabilities such as Logjam , weak export and RC4 ciphers , or did n't validate digital certificates properly . The researchers also tested [ pdf ] 29 anti-viruses , and found Vulnerability-related.DiscoverVulnerability 13 would intercept TLS connections . Only Avast versions 10 and 11 for Windows did not reduce TLS connection security . Interception of TLS connections involves security products injecting their own certificates in web browsers or devices in organisation networks . This alllows them to terminate TLS connections , decrypt the traffic so as to look for malicious or disallowed content , and then re-initiate the TLS connection after analysis is complete . Such interception is increasingly prevalent , the researchers said , meaning the security community is working at cross purposes - the attempts to detect and block harmful traffic dramatically reduces connection security , the researchers said . `` Many of the vulnerabilities we find Vulnerability-related.DiscoverVulnerability in anti-virus products and corporate middleboxes — such as failing to validate certificates and advertising broken ciphers — are negligent and another data point in a worrying trend of security products worsening security rather than improving it , '' they wrote . Compounding the problem , the researchers noted that while it was possible to adjust middlebox settings in many cases to avoid them degrading TLS security , their configuration was `` confusing , oftentimes with little or no documentation '' . `` We note that the installation process for many of these proxies is convoluted , crash-prone , and at times , non-deterministic , '' they said . Testing middleboxes with services such as Qualys SSL Labs , How 's My SSL , and Bad SSL is a must for administrators , the researchers said . There is no good reason for anti-virus vendors to intercept TLS since their software operates locally and already has access to the file system , browser memory , and any content loaded over HTTPS , they claimed . The researchers disclosed Vulnerability-related.DiscoverVulnerability the vulnerabilities in the security products to vendors , but said the reception to the reports varied greatly . `` In many cases , we received no response and in other cases , we were unable to convince manufacturers that TLS vulnerabilities such as Logjam required patching Vulnerability-related.PatchVulnerability , '' they wrote .

Having had more than a week to digest Cloudbleed ’ s causes and impact , Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low . Prince said Vulnerability-related.DiscoverVulnerability there is no evidence the vulnerability , which leaked customer data from memory , was exploited Vulnerability-related.DiscoverVulnerability by attackers . The bug , however , was triggered more than 1.2 million times from 6,500 sites that met the criteria under which it could be exploited Vulnerability-related.DiscoverVulnerability . In the meantime , Cloudflare continues to work with Google and other search engine providers to scrub cached sites that could contain any leaked data from memory . “ We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and recrawl entire sites in some instances , ” Prince said . Prince said leaks Attack.Databreach have included internal Cloudflare headers and customer cookies , but no evidence of passwords , encryption keys , payment card data or health records among the leaks Attack.Databreach . The vulnerability was privately disclosed Vulnerability-related.DiscoverVulnerability Feb 17 by Google Project Zero researcher Tavis Ormandy , who reported that he did see crypto keys , passwords , POST data and HTTPS requests for other Cloudflare-hosted sites among data from other requests . Ormandy initially said in a tweet that Cloudflare was leaking Attack.Databreach customer HTTPS sessions for Uber , FitBit , OKCupid and others , all of which said the impact of Cloudbleed on their data was minimal . “ While the bug was very bad and had the potential to be much worse , ” Prince said . Prince explained that the bug was triggered only when a webpage moving through the Cloudflare network contained HTML ending with an un-terminated attribute , and if a number of Cloudflare features were turned on . Those features hand in hand with a Cloudflare stream parser used to scan and modify content in real time such as rewriting HTTP links to HTTPS—a feature called Automatic HTTPS Rewrites—or hiding email addresses on a page from spammers—a feature called Email Address Obfuscation . The need to end with an un-terminated attribute was key . “ When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure . Contents of the other customers ’ requests are also in adjacent portions of memory on Cloudflare ’ s servers , ” Prince said . “ The bug caused the parser , when it encountered un-terminated attribute at the end of a page , to not stop when it reached the end of the portion of memory for the particular page being parsed . Instead , the parser continued to read from adjacent memory , which contained data from other customers ’ requests . The contents of that adjacent memory were then dumped Attack.Databreach onto the page with the flawed HTML ” . Anyone accessing one of those pages would see the memory dump , looking a lot like random text , below , Prince said . An attacker would need to pound one of those sites with numerous requests to trigger the bug and then record the results , getting a mix of useless data and sensitive information , Prince said . “ The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team and were able to patch Vulnerability-related.PatchVulnerability it , ” Prince said . “ For the last 12 days we ’ ve been reviewing our logs to see if there ’ s any evidence to indicate that a hacker was exploiting Vulnerability-related.DiscoverVulnerability the bug before it was patched Vulnerability-related.PatchVulnerability . We ’ ve found nothing so far to indicate that was the case ” . Prince said Cloudflare customers who find any leaked cached data can send a link to the caches to parserbug @ cloudflare [ . ] com . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .