Posts

WORDPRESS DELIVERS SECOND PATCH FOR SQL INJECTION BUG

/in /by

A bug exploitable in WordPress 4.8.2 and earlier creates unexpected and unsafe conditions ripe for a SQL injection attack, exposing sites created on the content management system to takeover.

WordPress released WordPress 4.8.3 Tuesday, which mitigates the vulnerability.

“This is a security release for all previous versions and we strongly encourage you to update your sites immediately,” according to WordPress. The vulnerability is not tied to the WordPress Core, rather plugins and themes that could be used to trigger a SQL injection attack, WordPress said.

The 4.8.3 update fixes a previous release made available on Sept. 19.

“Worst case would be remote code execution where they could take over installs of WordPress and the servers they are running on,” said Anthony Ferrara, the researcher who identified the flawed WordPress 4.8.2 patch.

The roots of the SQL injection date back to a vulnerability (CVE-2017-14723) first reported on Sept. 17, 2017. WordPress then attempted to mitigate the vulnerability with WordPress 4.8.2. That patch did not fix the issue, worsened the underlying security vulnerability and “broke” a large undisclosed number of third-party WordPress plugins.

“Our plugin broke,” said Matt Barry, a lead developer at WordFence. “The initial WordPress fix created huge headaches for plugin developers like us.”

On Sept. 20, Ferrara reported through the HackerOne bug bounty platform the fix was incomplete.

“I filed a security vulnerability report and notify them the fix isn’t a fix and suggest they should revert and fix properly (with included details on how to fix),” according to a post outlining the disclosure on Ferrara’s personal blog.

After going back and forth with WordPress for weeks, Ferrara said on Oct. 16 he announced his intent for public disclosure. More back and forth ensued, and on Oct. 20 he said WordPress told Ferrara it was “working on it” and discussing details of the fix. After 11 more days of hammering out the technical details of that fix, on Oct. 31 the 4.8.2 patch was released.

The vulnerability itself affects WordPress versions 4.8.2 and earlier. The issue occurred because where “$wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection,” describes WordPress.

The root issue is that the prepare system is poorly designed and needed to be fixed, Ferraray said. He said a patch to remove the “double prepare” from meta.php was eventually delivered, mitigating the vulnerability.

“These types of fixes can be tricky,” Barry said. Plugins are often the friendly-fire casualties for these types of WordPress patches, he said.

“The core issue is mitigated. My perspective of the interaction was frustrating at first, but got far better towards the end,” Ferraray said in his blog. “I was disappointed for a good part of the past six weeks. I’m now cautiously hopeful.”

MICROSOFT PATCHES 20 CRITICAL VULNERABILITIES

/in /by

Microsoft tackled 53 vulnerabilities with today’s Patch Tuesday bulletin. Remote code execution bugs dominated this month’s patches, representing 25 fixes. In total, 20 of Microsoft’s security fixes were rated critical.

Notable are four vulnerabilities with public exploits identified by Microsoft as CVE-2017-11848, CVE-2017-11827, CVE-2017-11883 and CVE-2017-8700. But, according to an analysis of Patch Tuesday fixes by Qualys, none of the four are being used in active campaigns.

Security experts say companies should prioritize patching a half-dozen scripting engine memory corruption vulnerabilities impacting Microsoft’s Edge and Internet Explorer 11 browsers running on versions of Windows 10, Windows 8.1 , Windows 7 and Windows Server (version 1709).

“A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” wrote Microsoft regarding CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873.

Microsoft said if exploited, an attacker could gain the same user rights as the current user. “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,” Microsoft wrote. “These websites could contain specially crafted content that could exploit the vulnerability.”

Researchers at Zero Day Initiative said that of the critical vulnerabilities it spotted, a distinct malware bypass theme emerged. It wrote, “CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files… CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers.”

“Speaking of malware, this patch fixes a CVE (CVE-2017-11830) that allows Device Guard to incorrectly validates an untrusted file. This means attackers could make an unsigned file appear to be signed. Since Device Guard relies on a valid signature to determine trustworthiness, malicious files could be executed by making untrusted files seem trusted. This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target,” ZDI wrote.

Part of Patch Tuesday also included an advisory (ADV170020), which is related to Microsoft Office Defense in Depth Update series. “ADV170020 is likely related to the malware abusing Dynamic Data Exchange, and this advisory may help restrict abusing this protocol feature,” wrote Zero Day Initiative researchers.

Despite a number of attacks that have used Dynamic Data Exchange fields in Office, Microsoft has remained insistent that DDE is a product feature and not a vulnerability.

Part of Patch Tuesday also includes something new, according to Greg Wiseman, Rapid7’s senior security researcher, who said Microsoft is applying fixes to some of its open source projects. “Sixteen of the Edge vulnerabilities have been resolved in ChakraCore, the open source part of Edge’s JavaScript engine,” Wiseman said. “.NET Core is being patched for a denial of service (DoS) vulnerability (CVE-2017-11770), and ASP.NET Core has fixes for DoS (CVE-2017-11883), privilege escalation (CVE-2017-11879), and information disclosure (CVE-2017-8700) vulnerabilities this month.”

Lastly, Qualys warns (CVE-2017-11882), a Microsoft Office memory corruption vulnerability rated as important, should be prioritized. “There may be POC code for this vulnerability, so it is recommended that you give the Office updates attention this month as well,” Qualys wrote.