Inkless Paper Developed reports on a breakthrough in printing: paper that uses ultraviolet light to print on coated paper. The paper can be heated to 250°F to erase what was printed and re-written to it up to 80 times (re-writable paper).  The researchers believe that this paper, which uses ultraviolet light to speed up chemical reactions between titanium dioxide and Prussian Blue [Bob Ross, anyone?] pigment, can be produced cheaply on a commercial scale. Given that all the required materials – paper, titanium dioxide (already heavily used in beauty products/makeup, sunscreen, and as pigments for medicines, toothpaste, lipstick, creams, etc.), Prussian Blue pigment/dye, and ultraviolet bulbs – are all inexpensive means the materials are likely to be affordable. However, there are a few drawbacks:


WordPress 4.7.2: Hidden Exploit Fix

The recently released version 4.7.2 of WordPress had an additional security fix which was not disclosed in the changelog when it was released. The issue? A privilege escalation / content injection bug in the REST API that allowed for the potential that anyone could edit any post.


Part of the REST API had an improper check for a valid post. If it was not a valid post ID but still contained a valid ID within a string such as “134A” it would be converted to an integer (the A gets stripped away making it just “134”) which gives any user access to update the post via shortcodes (and possibly other routes).

This issue was fixed in 4.7.2 so make sure your WordPress install is updated!

Disclosure of Additional Security Fix in WordPress 4.7.2


Release: Elasticsearch 5.2

elastic has released version 5.2 of their search software, Elasticsearch. Here is what you can expect from this release:

  • Numeric & Date range fields: New field types (integer_range, float_range, long_range, double_range, and date_range) were added allowing you  to define a minimum and maximum numeric or date range when you post data to the document field. For example, an event lasting an entire weekend can now be easily added and can then be searched by checking if the event’s date range lies inside or outside a search range or a specific date falls within the event’s date range.
  • Cluster Allocation Explain API: For Elasticsearch admins, when a cluster went down because of shards not being allocated often required a number of queries to different APIs to figure out what exactly happened to a cluster. The new Cluster Allocation Explain API combines the information scattered around different APIs to make it easier to diagnose the problem and get it solved quicker.
  • Keyword Normalization: For the new keyword type added in version 5.0, it was not easy to do things like lowercase the characters since it was meant for aggregations & scripting. This update allows you to use normalizerstokenizers that only affect individual characters, not entire terms. This allows you to use character modifiers on the field when you need to.
  • Term Aggregation Partitioning: Elasticsearch defaults term aggregations to the top 10 but can be set to higher values. However, many were requesting if there was a way to just return all top terms (such as using a negative value). However, it is not possible. Why? Because can take much longer for databases with many thousands, millions, or even billions of terms. However, people were persistent so they came up with another way. An example is looking for all the accounts that have not logged in recently. In this update you can partition the terms across a set number then request the terms from each partition individually.



Release: WordPress 4.7.2

Last week WordPress released the second security update for version 4.7. There were 3 security issues fixed:

  • Interface for assigning taxonomy terms in Press This was shown to users who did not have permission
  • An SQL injection vulnerability was patched in the WP_Query class to prevent poorly coded plugins and themes from falling victim (involving post types)
  • Fixed a cross-site scripting (XSS) vulnerability in the post listing table (excerpts were not being escaped)

It is strongly encouraged that, if you are not using an automated update system, you manually update/upgrade your version of WordPress to this latest to prevent exploitation.

WordPress 4.7.2 Security Release



Release: Google Chrome 56

Google has released version 56 of its web browser, based on the open-source Chromium web browser. There were 51 security-related bug fixes and one security researcher nabbed over thirty-thousand dollars ($30,000) for reporting some particularly nasty cross-site scripting (XSS) issues in Blink, Chrome’s rendering engine.

Here are the other new and fixed features:

For Users

  • WebGL 2.0 Support
  • HTML5 by Default
    • For all users the browser will now attempt to load HTML5 content over Flash and will only fall-back to Flash when it is absolutely necessary
    • Around October of this year Flash will require the user to explicitly approve its use
  • Built-in FLAC (Free Lossless Audio Codec) codec/support
  • The URL input bar now shows “Not Secure” next to the information icon for sites that are not encrypted and requesting username and passwords
  • Improved Bluetooth support via Bluetooth Low-Energy (BLE) and the Web Bluetooth API
  • Page reloading up to 28% faster

For Developers

  • Added “system-ui” font-family value that uses the operating system’s (OS’s) default font
  • Network
    • Support added for Referrer-Policy (CSP referrer) header
    • reflected-xss header deprecated
  • CSS
    • background-image-repeat: space value support added
      • Fills background with repeated tiles but no so much that it goes outside the container and will “space out” the tiles equally
    • position: sticky value support added
      • Works as “relative” until it reaches a maximum value, then works as “fixed”
    • offset-rotate motion path property now supported
    • Scroll anchoring support added, new overflow-anchor  with possible values of auto or none (to disable)
      • Locks the browser to a specific element so that content reflows do not force the browser away from the anchor element as images & other content load
      • touch-action: pinch-zoom property support added
  • SVG
    • SVGElement.currentView, SVGElement.useCurrentView, and SVGViewSpec interface deprecated
  • JavaScript
    • Chrome will no longer fetch the src (source) property of <script>  tags with non-script MIME types (suggests using the link preload element instead)
    • Removed deprecated MediaStreamTrack.getSources()
    • Shadow DOM: Will now dispatch synthetic events when target and relatedTarget event property values are identical/same
    • Showing/hiding the URL bar will no longer affect the page size or elements with vh units
      • overlay with “extra at the top” rather than pushing content around
    • KeyboardEvent.isComposing read-only value which returns true after compositionstart event has fired but before compositionend has
    • MediaStream Image Capture now allows for taking images/video from attached camera/imaging devices
    • Fixed attached mouse on Android devices incorrectly firing TouchEvent instead of MouseEvent
    • Large images now allowed to be sent as notification content via Notification API
    • OPUS audio codec support
    • PaymentRequest.canMakePayment() returns true or false if a payment can be accepted via Payment Request API
    • Remote Playback API support added
      • Android only, desktop support will be added in a later version – desktops currently report no available playback devices even when there is at least one available
      • Can control external devices’ (like Smart TVs, Chromecasts, Rokus, etc.) media playback
    • Shaddow DOM: slotchange events are no longer re-fired at slot’s assignedSlot (correct odd behavior and comply with specification change)
    • Streams API: WriteableStream is now supported
    • Added ImageBitmapRenderingContext
      • Provides low-level context for rendering an image on Canvas
    • Document-level TouchEvents are now passive by default
    • Web Bluetooth API supported
    • WebGL 2 supported
    • WebAudio API
      • Added ConstantSourceNode
      • ChannelSplitterNode channelCount and channelCountMode are constant
      • PannerNode.rolloffFactor clamps to nominal range
      • Removed deprecated Doppler API
  • Security
    • Added early support for TLS 1.3
    • Removed various ECDSA TLS cyphers
    • SHA-1 certificates are no longer trusted
    • Touch scroll events no longer allow popups to be opened
    • window.prompt() no longer brings background/inactive tabs to the foreground/active state
      • Background tabs will just not display a prompt
  • DOM
    • Rare case-insensitive matches for <input> group name are no longer done
    • Non-white-space Unicode control characters are now rendered in compliance with the specification
    • Delay running rendering pipeline (including requestAnimationFrame requests) inside iframes until all stylesheets have loaded
    • Allow any element below the body to be defined as the root scroller (which allows hiding URL bar, generate overscroll glow, etc.) via document.rootScroller

Chrome now reloads pages 28% faster


Release: Firefox 51

Mozilla has released version 51 of the open-source Firefox web browser. What can you expect from this release?

For Users

  • Save password prompt allows you to view the password before it is saved
  • Zoom button added to the URL bar that displays the zoom level other than 100% – pressing the button returns to default zoom
  • Video performance for those that cannot make use of hardware GPU acceleration has been improved
  • Passwords are now saved from forms that do not emit a “submit” event
  • Free Lossless Audio Codec (FLAC) codec is now built-in
  • WebGL 2 is now supported – provides more advanced 3D images and animations
  • Subtle warning (crossed lock icon) displayed on sites that are not using a secure certificate (SSL/HTTPS) and asking for login username and password
  • Georgian (ka) and Kabyle (kab) locales added and Belarusian (be) locale removed
  • Improved E10s (multi-process) function with better tab switching
  • More reliable browser sync
  • 25 security issues fixed – includes many potential memory issues, some API issues, privilege escalation or information reveals, and URL spoofing

For Developers

  • HTML

    • The <hr>  tag can now be used within <menu>  tags/elements
    • selectionStart and selectionEnd attributes/properties now return correct position when there is no selection within <input>  and <textarea>  elements
  • CSS

    • :indeterminate pseudo-element selector now supported for <input type=”radio”>
    • :placeholder-shown pseudo-element selector now supported for <input type=”text”>
    • :placeholder pseudo-element selector now unprefixed
    • :valid pseudo-class selector fixed to select valid <form>  elements
    • unicode-bidi: plaintext  now works with vertical writing mode
    • clip-path: fill-box  and clip-path: stroke-box  now properly supported
    • Flexible Box Model’s (flexbox) line height is now clamped in single-line auto-height flex container with max-height (matching change to the specification)
  • JavaScript

    • Symbol.toStringTag, TypedArray.prototype.toString() , and TypedArray.prototype.toLocaleString() implemented
    • DateTimeFormat.prototype.formatToParts() now works
    • const and let are now fully compliant with the specification
    • const used within for … of now gets a new binding on each iteration and no longer throws a SyntaxError
    • Using for each … in now produced a deprecation warning
    • Generator functions can no longer be a child of a label and you can no longer use “let” as a label (for obvious syntax reasons)
    • Legacy generator functions now throw an error when used in method definitions (must use asterisk)
    • next()  iterator method now throws a TypeError when it does not return an object
    • Child-indexed pseudo-class selectors will match when they do not have a parent
  • Developer Tools

    • The Network Monitor now has a “blocked” state which shows when a connection is waiting to execute because the simultaneous connections limit has been reached
  • WebGL

    • WebGL 2 now enabled by default
    • The WEBGL_compressed_texture_es3 extension (implemented in Firefox 46) has been renamed to WEBGL_compressed_texture_etc and is no longer included by default in WebGL 2 contexts
    • The EXT_disjoint_timer_query extension has been updated to use WebGLQuery objects instead of WebGLTimerQuery objects
    • The OES_vertex_array_object extension now uses the WebGL 2 WebGLVertexArrayObject object instead of its own WebGLVertexArrayObjectOES object
    • You can now use ImageBitmap objects as a sources for texture images in methods like WebGLRenderingContext.texImage2D(), WebGLRenderingContext.texSubImage2D(), WebGL2RenderingContext.texImage3D(), or WebGL2RenderingContext.texSubImage3D()
  • IndexedDB v2

    • IndexedDB version 2 is now enabled
      • Supports for the new IDBObjectStore.getKey() method has been added
      • Supports for IDBCursor.continuePrimaryKey() method has been added
      • Binary keys are now supported
  • Canvas

    • The non-standard CanvasRenderingContext2D.mozFillRule() method has been removed; the fill rule can be defined using a parameter of the standard CanvasRenderingContext2D.fill() method
    • The CanvasRenderingContext2D.imageSmoothingEnabled has been unprefixed
  • SVG

    • tabindex attribute Added
    • href attribute added, which renders xlink:href obsolete
    • You can now use custom data attributes on SVG elements through the SVGElement.dataset property and the data-* set of SVG attributes
    • CSS Animations used in an SVG image which is presented in an <img> element now work again; this was an old regression
  • Web Workers

    • WorkerGlobalScope.onclose obsolete event and the close event of Worker objects have been removed
  • Networking

    • image/*, video/*, audio/* or text/csv MIME types served to <script> elements, Worker.importScripts(), Worker(), or SharedWorker() are blocked and no longer allowed
  • XHR

    • XMLHttpRequest.responseXML no longer returns a partial document when there is a parse error. Instead, it now returns null (as the specification dictates)
    • To match the latest specification an XMLHttpRequest without an Accept header set with setRequestHeader() is now sent with such a header, with its value set to */*
    • now correctly nulls out username and password values when omitted according to the specification
  • WebRTC

    • The RTCPeerConnection.removeStream() method has been removed. It was deprecated back in Firefox 22, and has been throwing a NotSupportedError for a long time. You need to use RTCPeerConnection.removeTrack() instead, for each track on the stream.
    • WebRTC now supports the VP9 codec by default
    • The method HTMLMediaElement.captureStream(), which returns a MediaStream containing the content of the specified <video> or <audio>. It’s worth noting that this is prefixed still as mozCaptureStream(), and that it doesn’t yet exactly match the spec.
  • Audio/Video

    • Added FLAC support (FLAC codec) in both FLAC and Ogg containers. Supported FLAC MIME types are: audio/flac and audio/x-flac. For FLAC in Ogg, supported MIME types are: audio/ogg; codecs=flac, and video/ogg; codecs=flac
    • Added support for FLAC in MP4 (both with and without MSE)
    • Throttling in background tabs of timers created by Window.setInterval() and Window.setTimeout() was changed in Firefox 50 to no longer occur if a Web Audio API AudioContext is actively playing sound. However, this didn’t resolve all scenarios in which timing-sensitive audio playback (such as music players generating individual notes using timers) could fail to work properly. For that reason, Firefox 51 no longer throttles background tabs which have an AudioContext, even if it’s not currently playing sound.
  • DOM (Document Object Model)

    • The deprecated DOMImplementation.hasFeature() now returns true for all arguments
    • onerror / error event is now supported for <img> elements and HTMLImageElement objects
    • Animation.effect can now be set rather than being a read-only property
    • Permissions.revoke()  is now behind a browser setting/preference (dom.permissions.revoke.enable) and is disabled by default
    • property and StorageManager.estimate() are now implimented/enabled. Storage unit persistence features are not yet implemented
    • BatteryManager.chargingTime and BatteryManager.dischargingTime round to the nearest 15 minutes
  • Events

    • onanimationstart, onanimationiteration, and onanimationstart event handlers are now supported in addition to supporting the corresponding events using addEventListener()
    • ontransitionend event handler supported


Fiber Picks Up Speed

Our demand for data continues to grow and so to does the amount of data fiber optic networks can transmit. reports on research completed by NTT Access Network Service Systems Laboratories in Japan where they were able to fit 12 individual cores inside a standard diameter for fiber optics. Since the amount of data we can pack into current single-core networks is approaching maximum – meaning more fiber optic lines need to be laid to transmit the same amount of information – research into optical wires that contain multiple single cores is picking up. While this is not yet ready to be deployed out in the field it does bring such upgrades a step closer by producing a wire which experiences less distortion than similar multi-core wires. They are now looking to continue scaling up as well as find solutions to make multi-core fibers require less complex signal processing.


SHA-2 Adoption Slow, Picking Up

Threat Post reports on how browser developers are working on both adding support for as well as adding warnings into browsers for users that use less secure certificates signed by SHA-1 hashes. As computers continue to increase in performance it becomes easier, faster, and cheaper to break older hash algorithms. New algorithms get developed but are not always adopted quickly by software makers and certificate issuers.

In this case it is expected to become significantly more economically viable to break SHA-1 hashes via collision attacks. Collision attacks are where repeated tests occur looking for cases where more than one input produces the same output – since a hash accepts any length of input but a limited number of characters of output there will always be collisions – just a matter of how long it takes a computer to find those collisions. In most cases new and sophisticated hashing algorithms would take computers thousands if not millions of years to successfully find enough collisions to be usable, but as computers become faster it takes less time to crack the same algorithm. Once the algorithm becomes economically feasible to crack it is replaced and retired.

In 2012, Bruce Schneier projected a collision attack SHA-1 would cost $700,000 to perform by 2015 and $143,000 by 2018.

The Mozilla Firefox browser is expected to be the first browser to alert users of insecure certificates in just a few days (January 24, 2017). As more browsers are expected to adopt SHA-2 and warn about SHA-1 usage it is expected to push slow adopters to make the move as well. Websites are not the only issue – payment machines like credit card readers can also be insecure and use the older SHA-1 algorithm… and are a lot more expensive and more difficult to get updated. Many of the machines cannot simply upgrade the software – instead new machines must be produced and sent out to retailers.

There are also millions of mobile apps that use encryption. A number are no longer developed but still work and continue to use SHA-1. Others may not get updated often and will not make the switch to SHA-2 for a while. Some companies simply don’t have the funding to update parts of their apps. So there is likely to be a long, uphill battle when it comes to the adoption of a more secure algorithm… the question will be: Will a breach or data loss be less costly than updating the hardware and/or software.

SHA-1 End Times Have Arrived


Browsers’ Interfaces Are Insecure

As browsers continue to add new features, many of them need to notify or request confirmation from the user. These notifications and dialogs are showing outside the browser interface and appear inside or overtop of the content window (considered to be untrusted since any content can be displayed by developers). This means that content developers can mimic these notifications easier and trick (or bait/phish) users into clicking or submitting information to dialogs that are not part of the browser.

A family member was recently subject to something very similar  last week. The browser was being forced into fullscreen mode. Popups were repeatedly sent to prevent being able to do anything else with the browser. Whenever I hit F11 to exit fullscreen mode, it immediately went back into fullscreen mode. At the same time the browser’s interface (address bar, tabs, bookmarks, etc.) could have been faked within that full screen browser tab. Since many browsers today use the same or similar technology to render their interfaces it can be easily mimicked using HTML & CSS. Luckily I was able to prevent the popups and close the browser window using Ctrl + W. An simple [may not be perfect] fix for this is to require requesting the user approve going to fullscreen in cases other than for the video tag – similar to how the user’s location must be requested.

These encroachments have security researchers worried because it means that none of the browser window can be trusted and phishing schemes / scams will likely become increasingly successful when the user believes they are interacting with the browser when they are really interacting with the content of a potentially malicious website.


Release: PHP 7.0.15, 7.1.1, 5.6.30

PHP has released security updates for versions 7, 7.1, and 5.6. Since these are security releases it is HIGHLY recommended you update to them. I also heavily recommend you update to them as there are some odd bugs fixed in earlier versions for rare cases that could cause hangs or segfaults (crashes) in some cases where minor coding errors are made.

Highlights for Version 5.6.30

  • An issue was fixed where a TIFF or JPEG with malicious or invalid metadata tag can cause PHP to terminate prematurely on Intel CPUs (not necessarily a security issue but could break some code)
  • Use-after-free memory access for images passed as an input argument to a GD image output function
  • Fixed a DOS vulnerability in gdImageCreateFromGd2Ctx()
  • Fixed integer overflow in gd_io.c
  • Fixed an issue where a hostile or corrupt compressed PHAR file could leak memory, corrupt memory, or crash PHP
  • Fixed issue where, under certain cases, a hostile serialized string could be used to access freed memory (use-after-free)
  • Fixed an issue where a hostile serialized string can read out-of-bounds memory

While some of these issues require specific cases, there also appears to be some easily utilized security issues where proper input sanitization is not met as well as some possible image upload security issues.

Highlights for Version 7.0.15

  • Fixed a few of the same serialized string issues fixed in version 5.6.30
  • Fixed issue where for each value parameter passed back as reference where no reference exists causes a crash
  • Fixed issue where unpacked arrays do not properly advance using next()
  • Fixed null pointer dereference under certain conditions when unpacking serialized object
  • Fixed an issue where, with maliciously crafted code, a read-after-free can occur with the properties storage table when unserializing objects which could allow an attacker to execute arbitrary code
  • Fixed the same GD and EXIF metadata issues that were fixed in version 5.6.30
  • Fixed memory leak in preg_*() regular expression functions
  • Fixed same PHAR issues that were fixed in version 5.6.30
  • Fixed reflection class stored as object property not being properly freed/destroyed when the class is destroyed (memory leak)
  • Fixed crash where object with __sleep() method is serialized
  • Fixed issue where get_browser() runs slow/longer under certain conditions or loading browsercap.ini uses a lot of memory at startup
  • Fixed issue where get_defined_functions() returned functions that were disabled via settings/php.ini

Essentially, __wakeup and serialized strings and objects have become a target for hostile intent. This is a fairly large security issue since many libraries and CMSes use serialized data and many pieces of code utilize the wakeup method – even if hostile intent needs to be done under certain conditions which many not occur very often.

Highlights for Version 7.1.1

  • Majority of the same issues fixed in 7.0.15 were also fixed in this version

Since 7.1 shares a very similar codebase to 7.0.x, there were not any additional bugs that stood out to me other than those that were fixed as part of version 7.0.15 that were also fixed in this version.