2016: Banner Year for Encryption

Bar graph from Let's Encrypt showing the massive 21 million additional certificates issued between the end of 2015 and the end of 2016.

The Electronic Frontier Foundation (EFF) reported that the number of websites utilizing encryption (HTTPS) to secure the traffic between the browser and the web server. For the first time since the inception of the Internet, the majority (more than half) of internet traffic was encrypted! It did not matter the size: large and small websites have been adopting secure certificates to encrypt their traffic… but why?

A number of factors played out over the past year that lead to this mass migration to encryption. Google announced it would start giving sites a small rank boost if they used encryption (that will likely get stronger as time goes on), web browsers adding visual features that make non-encrypted sites look less secure, increasing pressure from governments, businesses, and the public to secure the net, the addition of some new and advanced browser features that only work on encrypted connections, and the introduction of free programmatic (automated) secure certificates all lead to the massive adoption that occurred throughout the year.

There are still a number of countries, particularly in Asia and the Middle East, that are resisting the adoption of encryption but various organizations are already looking into how they can encourage the holdouts to join in.

Personally I see this as no different than when much of the world, especially those in the east, continued to rely on the old, out-of-date Internet Explorer versions and were eventually pressured to upgrade by Microsoft along with various other organizations through various advertisements and public service announcements (PSAs, but maybe Internet Service Announcements?). They showed just how insecure & slow older browsers are and how much risk is taken by refusing and/or blocking browser upgrades.

PHPMailer Vulnerability

PHP (PHP: Hypertext Preprocessor) Logo

A new Remote Code Execution (RCE) vulnerability has been reported on Christmas but details were only recently released. PHPMailer has already issued a patch (though they are not 100% confident in it), and WordPress (which uses PHPMailer) is considering issuing a security patch for current versions as well.

The vulnerability allows the FROM address, when passed as a variable into into PHPMailer with escaped shell arguments, will be passed to the mail function and allows an attacker to put executable code into the root.’

Note that as of now there are no known working exploits for this. Also note that this exploit may not work on all systems due to different mail functions being used having different arguments available.

Also, as long as the email address passed to the FROM variable is more strictly validated (not allowing the escaped quotes and whitespace in email addresses), it is not an issue. Some feel that the strictness of not following the RFC exactly will prevent valid emails but many point out that it would only block VERY FEW valid emails and argue that the RFC should not allow such characters – most well-known email systems do not allow such characters anyway.

The code that I write always validates the email using the filter_var function (which is strict and prevents the issue from occuring). I checked Gravity Forms and they also use the filer_var function. I don’t know about JetPack. It is also likely that, if they have not already, CloudFlare and WP Engine will add an input filter for this.

If you are using a custom build of PHPMailer in any extensions/add-ons or external code is is HIGHLY RECOMMENDED that you upgrade to PHPMailer version 5.2.18 or newer which has escaping added to the FROM address.

Yet Another Yahoo! Security Issue

The Yahoo! logo that was introduced in 2013 and features dual-tone purple/violet thin-walled lettering.

Yahoo! has fixed a major security flaw. This one was with their Yahoo! Mail email service that allowed an attacker to embed JavaScript in an email and have it execute. This would allow an attacker to gain access to all of a person’s email and Yahoo! account just by them opening an infected email.

How was it done? Yahoo!, like many other email services, strips HTML and most attributes from emails that are received. However, not all are filtered and normally it would not matter if JavaScript were embedded in an attribute – it needs to be encoded and won’t get executed anyway. However, thanks to the video and image previews that have been added in recent years (the ones that show YouTube or Vimeo video preview icons or previews of images attached to an email), some data-x attributes are used to allow the JavaScript Yahoo! wrote to generate a preview block:

Yahoo! Mail XSS Bug

So a security researcher thought… what would happen if I embedded a script inside the element data parameter? So he tried it:

What happened when he sent himself the infected email to his Yahoo! account?

Yahoo! Mail showing a popup generated from a received email

Uh oh…

But that is just some script embedded in an attribute, why is it getting converted to actual HTML? He began digging through Yahoo!’s JavaScript – the part that generates those video and image previews. He found a piece of code that was simply taking the contents of a couple of the parameters and embedding it within the page as HTML:

Oops…

With that kind of power an attacker could gain access to all of the emails from anyone that opened an infected email, send email as said user, or even do other actions with their account.

The researcher submitted the flaw prior to releasing the details and Yahoo! has fixed the issue.

WordPress 4.7 “Vaughan” Released

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress (WP) has released version 4.7 of their blogging and content management software. It has been codenamed in honor of the legendary jazz vocalist Sarah “Sassy” Vaughan. Here are some of the new features:

Twenty Seventeen

As always, new version, new theme…

WordPress 4.7's default theme: Twenty Seventeen. Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.
WordPress 4.7’s default theme: Twenty Seventeen

Theme Starter Content

When you setup a new theme with no content, the theme can provide some starter content to show off it’s capabilities.

Edit Shortcuts

New icons appear in the Customizer to show what content can be changed in real-time within the live preview.

Video Headers

Video headers can be added to themes with a video selector that shows up in the Customizer.

Blank Pages During Menu Creation

If you don’t have content for your site yet but know how you want your menu structured, the menu editor now allows creating blank pages on the fly while setting up the menu.

Custom CSS

Custom CSS can be added through the Customizer (note that such file-editing features are often disabled on most hosts as they often are the source of exploits and malware).

PDF Thumbnail Previews

PDFs that are uploaded now generate image previews just like images:

Image showing a PDF file with an image preview in the media library.

Dashboard in your language

The admin can now have it’s own per-user language set.

REST API Content Endpoints

Endpoints for posts, comments, terms, users, meta, and settings are provided by default in this version as they continue to build in the API components.

Post Type Templates for All

Post type templates are now available for all custom post types.

Custom Bulk Actions

One of the most-often requested features is now available in this version. In the past, adding custom bulk actions required a lot of hacking and going around the existing code. Now there are built-in functions to assist with adding custom actions that can be applied to many posts at once.

WP_Hook

The code that runs the actions and hooks has been rewritten, fixed a number of bugs, and added a few new capabilities.

Settings Registration API

The register_setting() function has been updated to include type, description, and REST API visibility.

Customizer Changesets

A new post status (customize_changeset) that is created when something is changed in the Customizer prior to being published. [More Information]

 

Google Chrome 55 Released

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google has released version 55 of the Chrome web browser (based on the open-source Chromium browser) a few days early (was supposed to be released on the 6th). There was over $70,000 paid out to security experts, developers, and white-hat hackers for finding over 25 different security-related issues with the browser.

Noteworthy features:

async & wait functions

ES2016’s async and await function flags will be fully supported and allows making function calls that do not delay the main browser thread (asynchronous). Note that because IE does not support this (though can be mimicked using a settimeout polyfill; Edge has this feature behind an experimental flag) it will be awhile before it can be used cleanly. Babel (the ES6->ES5 JavaScript transpiler Node.js module) transpiles these for browsers that do not support it using the settimeout polyfill.

Pointer Events

Pointer Events API will be fully supported and allow capturing mouse and touch move, over, and leave/out events combined into a single event.

Persistent Storage

Persistent Storage will be supported. Note that pretty much all browsers support localStorage, but it is simply up to the browser when to remove the data. For instance, when hard drive space runs out, storage data gets wiped automatically to free up space. Persistent Storage provides a mechanism that allows the developer to request their data be kept unless clearing out all non-persistent data still does not free up enough storage space. It identifies whether or not their request was accepted or the browser is simply only accepting non-persistent storage.

Chrome 55 is expected to use significantly less memory. Chrome was the first browser to support per-tab processes – but has always been at the cost of using a fair bit more memory than other browsers. Now they have a goal to, eventually, reduce the memory usage enough that Chrome can be used easily on a computer with just 1GB of memory. Version 55 is the first step toward that goal as it both uses a fair bit less memory and has a rewritten garbage collector.

PHP 7.1 Released

PHP (PHP: Hypertext Preprocessor) Logo

PHP version 7.1 was released with a few new features and corrections. Nothing massive (like the major performance increase of version 7) was added so don’t expect hosts to make any major steps to support it.

Nullable Types

Function & method return types can have a question mark (?) placed in front of it to identify that the return value can be either what was identified or a null value. If something other than those values are returned an error is issued.

Void Return Type

Identifying a void return value will only allow nothing to be returned from the function or method. Any other type returned will issue an error.

Iterable Pseudo-Type

A new function or method argument type (or return type) identifier of “iterable” requires an array or object that implements the Traversable interface. If a variable that is not of those types is passed to the function or method an error is issued.

Class Constant Visibility

Class constants can not have a public, private, or protected identifier just like properties.

Square Bracket Syntax for list()

Short-form array syntax can now be used intead of the list() function.

Catch Multiple Exception Type

Similar to if/elseif/else syntax can be used in try/catch blocks to catch more than one type of exception.

Asynchronous Signal Handling

While this cannot be used directly within PHP, certain behind-the-scenes code is being replaced to use asynchronous signals instead of ticks. This will likely a first step to asynchronous process handling in later versions of PHP.

Closure From Callable Function

Callables will be converted to closures automatically when necessary.

HTTP/2 Server Push Support in cURL

A few other smaller features and a number of fixes were also included.

Chrome Security Update: 45.0.2454.101

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google has released a security update for it’s Chrome web browser. The new version, 45.0.2454.101, includes fixes for a reported cross-origin bypass that affects both the document object model (DOM) parser as well as the V8 JavaScript/ECMAScript engine.

It is recommended that you update your browser to this version to prevent possible exploits. You can do so by clicking the main menu icon (three dashes in the top right) and going to Help / About Google Chrome or by downloading from:

http://www.google.com/chrome/

PHP 7: Release Candidate 2

PHP (PHP: Hypertext Preprocessor) Logo

The next version of the popular open-source scripting language is set to be released in early November 2015 – just a few months from time of writing! The second release candidate has been set free with a few bug and security fixes.

The upcoming version includes new features such as full and consistent 64-bit support across platforms (which also adds support for larger file sizes), removal of a number of old/dead SAPI extensions (including deprecation of mysql in favor of mysqlnd/mysqli or PDO), added support for null coalescing (also known as the isset ternary) and combined comparison operators, return and scalar type declarations, and anonymous classes.

However, the biggest change was speed. PHP 7 benchmarks are shown to be up to twice as fast as the current 5.6 version and nearly as fast as HHVM. My own benchmarks of RC 1 have shown an average 95% increase in performance on a 64-bit Windows 7 machine running benchmark scripts. The biggest performance gain was seen in string manipulation which is what many scripts rely on. However, perception is the real key and there it does not disappoint as either. Local installs of WordPress, upon first run, have gone from ~4 seconds to ~2 seconds. Subsequent runs are nearly instantaneous (1 second or less). Running them in production on Linux servers will definitely be even faster.

Backward In-Compatibility

While the majority of scripts wrote to support the PHP 5.x branch will work perfectly fine on PHP 7, there are some fixes that remain. Most notably, a number of scripts still use the old PHP 4-style constructors. They are being phased out and issue a deprecation warning. Instead of using a method with the same name as the class, you should instead create a method called “__construct” (two underscores followed by “construct”) to create constructor methods. The old mysql (mysql_* functions) are in the same boat. The old mysql extension is deprecated and will be removed in upcoming PHP versions. Scripts need to be updated to use mysqlnd (MySQL Native Driver) through the use of mysqli (mysqli_* functions) or PDO.

The other major change some scripts may run into trouble with, only if Object-Oriented Programming (OOP) is used, is how class variables are returned. According to the upgrade document:

* Indirect variable, property and method references are now interpreted with left-to-right semantics. Some examples:

To restore the previous behavior add explicit curly braces:

Errorpocolypse

The last major difference which may confuse developers is with error display and handling. The entire error handling system has been ported to use exceptions and will now only show an error in a few cases. Most errors, including most fatal errors, will now issue exceptions which do not display like errors do in version 5. You may run into an empty or blank white display or have a partially-rendered page. This is normal for PHP 7. What is happening is that a fatal error was encountered but instead of showing the typical error message and backtrace it simply halts with most scripts as they are currently written. Instead of an error an exception is thrown. A number of developers are not used to using exceptions and will become confused.

In a future post (to be linked here) I will go more in-depth into the changes made to the error system in PHP 7 as well as how to handle them (now using exceptions) and get more information from them while developing scripts.

Firefox: Stolen and Fixed

Mozilla Firefox web browser logo: an orange fox with yellow flames for a tail wrapped around a dark-blue globe.

Mozilla, an open-source software community run by the non-profit organization, Mozilla Corporation, and developers of the Firefox web browser, has announced it’s bug tracking software, Bugzilla, was hacked. The organization’s blog post states that the account that was compromised had access to privately-listed bugs representing zero-day security flaws in the browser. However, if you keep your browser up-to-date you are protected. The zero-day flaws that were stolen were all patched as part of version 40.0.3 released August 27, 2015. The post does not state the date that the account was compromised.

Green bug being swept up by a broom. Icon / clip-art.
By Poznaniak, pozostali autorzy w plikach źródłowych via Wikimedia Commons

This should definitely be a wake-up call for you to keep the software you use up-to-date. Many applications today will automatically update (including the more recent versions of Firefox) but some do not. In addition to keeping you safe from security flaws, the latest versions of programs also deliver features that make using the software more enjoyable and sometimes easier. In the case of web browsers, it also delivers new tools for web developers to use to make better web applications and websites that are more visually appealing and interactive.

More Information

More detailed explanation of why you should take the time to ensure the software you use is up-to-date will be in an upcoming post! I will link the post here.