Vulnerabilities / Threats
6/22/2011
06:21 PM
50%
50%

WordPress Warns Of Trojanized Plug-Ins, Urges Patching

Attackers added a back door to three plug-ins that were available for download from WordPress for more than 24 hours.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
WordPress on Tuesday warned all users who run its software on their own servers to beware a trio of malicious plug-ins for its content management software, which may have been available for download from the site for more than 24 hours.

"Earlier today the WordPress team noticed suspicious commits to several popular plugins--AddThis, WPtouch, and W3 Total Cache--containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory," said a warning from Matt Mullenweg, founding developer of WordPress, released on Tuesday.

Plug-ins extend WordPress functionality, and the ones called out in the security warning offer an interface with social networking sites (AddThis), mobile and iPad versions of WordPress blogs (WPtouch), and server performance enhancements (W3 Total Cache). AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million times.

Mullenweg said that while an investigation is underway and there's no evidence that attackers compromised the WordPress site, WordPress just to be safe has forcibly reset all passwords for WordPress.org, which is the site where users can download WordPress. "To use the forums, [development site] Trac, or commit to a plugin or theme, you'll need to reset your password to a new one"--by using the log-in page--said Mullenweg.

In addition, he said that any users of the three Trojanized plug-ins who updated them "in the past day" (meaning Monday or Tuesday) should upgrade those plug-ins immediately.

Plug-ins, malicious or otherwise, continue to account for an increasing number of vulnerabilities seen in applications, both on PCs (for example, with browsers) and in Web applications (such as WordPress). In terms of WordPress, plug-ins now account for 80% of all WordPress-related vulnerabilities, according to HP DVLabs.

But some plug-in vulnerabilities are worse than others. "Web-based backdoors can be extremely dangerous," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "If you're a WordPress user, you'll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as "site.example/wp-admin." A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you."

Another danger is that if attackers managed to steal WordPress passwords, they might attempt to use them to access other sites. According to Mullenweg, "as a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one."

Unfortunately, password reuse remains rampant as numerous, recent attacks have shown, such as when LulzSec released stolen databases containing usernames and passwords--such as the release of 37,608 SonyPictures.com passwords, which researchers have cross-referenced with other leaked databases.

Small and midsize businesses are falling prey to cyberattacks that cost them sensitive data, productivity, and corporate accounts cleaned out by sophisticated banking Trojans. In this report, we explain what makes these threats so menacing, and share best practices to defend against them. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?