Release: WordPress 4.7.1

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress, the open-source blogging and CMS platform, has released version 4.7.1, a security update to version 4.7.

The update fixes eight (8) major security issues as well as sixty-two (62) other various bugs found in 4.7.

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  5. Cross-site scripting (XSS) via theme name fallback.
  6. Post via email checks mail.example.com if default settings aren’t changed.
    A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
  7. Weak cryptographic security for multisite activation key.

It is strongly encouraged that you update your version of WordPress as soon as possible to avoid possible exploitations. As always, I also encourage everyone to read through the changelog to see what was fixed or what could be a potential issue in the future.

WordPress 4.7.1 Security and Maintenance Release

Chrome Changes: Encryption Notification

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google Chrome version 56 (based on the open-source Chromium web browser) is scheduled to be released at the end of the month. One of the major user-level changes is how sites without encryption will appear. Until now there has just been a lowercase letter “i” with a circle around it — this was typically an indicator to get more information about the site. In the upcoming version this symbol will be accompanied by a “not secure” message to indicate that the site is not secure:

The difference between Chrome 53 and Chrome 56 when a non-encrypted site is visited: The circled lowercase "i" will be accompanied by "Not secure"

 

Google has also indicated that future versions of Chrome will continue to make sites that are not encrypted appear with a more prominent warning symbol:

In future versions of Chrome the "Not secure" indicator will be red, have a triangle exclamation mark warning icon, and be much bolder.

 

Imminent: Non-HTTPS Sites Labeled “Not Secure” by Chrome

Google warned about this back in September of 2016.

System 3: Original Constructor Free!

If  you didn’t know, System 3 Software is remaking the 1997 classic video game Constructor! Originally they were going to call it Constructor HD – essentially re-writing the original to work better on the latest PCs with high resolution graphics – however they now feel that enough is being added that it will also be it’s own game. They are no longer calling it Constructor HD but instead just Constructor (like the original).  On top of that they are going to give away free copies of the original 1997 game to anyone who likes their game Facebook page by January 31, 2017 will receive a link to download the original game free. I assume the game has been updated enough to run on the latest PCs (or at least running in an emulator like DOSBox).

Intel Pushes Moore’s Law Along: 10 nm

intel logo: a light blue print of intel with a oval starting from the bottom of the "l" of the name on the right and wrapping back around to the bottom of the "l"

Moore’s Law (which states the number of transistors per square inch doubles roughly every twelve {12} to eighteen {18} months) has had repeated claims that it would end as the limits of silicon are hit and the size approaches that where quantum effects take over, yet it keeps proving the naysayers wrong. IEEE Spectrum reports that central processing unit (CPU) manufacturer Intel is pushing Moore’s law further as it plans to push out computer and mobile processors with transistors that are just ten {10} nanometers (nm) wide. However, these transistors are going to be a bit different than your average transistor…

Intel plans on, for the first time in quite a long time, decrease the size of the gate (the piece of a transistor that switches it “on” or “off”) and the gate pitch – the size of the material that exists between one gate and another. They are also planning on making two {2} improvements on their transistor design within it’s lifetime. Intel claims this change will create a processor that, while still more expensive than the last generation, will still be cheaper per-transistor than it’s previous product offerings. Though, as with the modern generations of processors, don’t expect much difference in clock speed. What about the other producers?

Intel is also planning on allowing other processor manufacturers to use their manufacturing facilities to produce their own chips. This is less likely to be an invitation to competitors and more an invitation for manufacturers of specialized processor and chipset manufacturers. Global Foundries, the manufacturer that spun off from AMD years ago, is planning on skipping ten {10} nm altogether and jumping right to seven {7} nm in 2018.

Moore’s Law is expected to end once transistors reach 5nm. Below that size the effects of quantum physics start taking over and electrons begin “tunneling” – a quantum effect where an electron suddenly tunnels through insulating material and pops out on the other side. Essentially an electron in one transistor could suddenly end up in the one next to it – a one {1} becomes a zero {0} and a zero {0} becomes a one {1} – yikes! It is yet to be seen if something – a solution or perhaps a new material – appears to continue Moore’s Law in the future.

Cloudflare Trips Over Leap Second

Cloudflare Logo: An orange cloud with a white solar flare emanating from the center-bottom with the capitalized dark-gray CLOUDFLARE printed below the cloud.

The domain name service (DNS) and security proxy provider Cloudflare appears to have tripped over the leap second at the end of 2016. The Go programming language that is uses to build it’s DNS server apparently returned a negative number for the date in some cases which caused the random number generator to throw errors. The fix? A single line of code where less than or equal to zero (<=0) is used instead of simply equal to zero (==0).

2016: Banner Year for Encryption

Bar graph from Let's Encrypt showing the massive 21 million additional certificates issued between the end of 2015 and the end of 2016.

The Electronic Frontier Foundation (EFF) reported that the number of websites utilizing encryption (HTTPS) to secure the traffic between the browser and the web server. For the first time since the inception of the Internet, the majority (more than half) of internet traffic was encrypted! It did not matter the size: large and small websites have been adopting secure certificates to encrypt their traffic… but why?

A number of factors played out over the past year that lead to this mass migration to encryption. Google announced it would start giving sites a small rank boost if they used encryption (that will likely get stronger as time goes on), web browsers adding visual features that make non-encrypted sites look less secure, increasing pressure from governments, businesses, and the public to secure the net, the addition of some new and advanced browser features that only work on encrypted connections, and the introduction of free programmatic (automated) secure certificates all lead to the massive adoption that occurred throughout the year.

There are still a number of countries, particularly in Asia and the Middle East, that are resisting the adoption of encryption but various organizations are already looking into how they can encourage the holdouts to join in.

Personally I see this as no different than when much of the world, especially those in the east, continued to rely on the old, out-of-date Internet Explorer versions and were eventually pressured to upgrade by Microsoft along with various other organizations through various advertisements and public service announcements (PSAs, but maybe Internet Service Announcements?). They showed just how insecure & slow older browsers are and how much risk is taken by refusing and/or blocking browser upgrades.

Mass Manufacturing Graphene: New Method

Hexagonal grid representation of crystalline graphene (single-molecule layer graphite).

Graphene has been expected to be the next big idea in electronics, medical, and many other fields for quite some time. The properties of graphene outpace that of traditional materials used today. However, mass-manufacturing the single-molecule-layers of graphite (yes, “pencil lead”) has proven difficult, complex, and costly. But new methods are being worked on…

Reported by Next Big Future, a new method of manufacturing graphene has been created by researchers at the University of Exeter. Roll-to-roll manufacturing, a manufacturing process that is still being developed for using with semiconductors, a variety of electronic devices can be printed on top of various ribbons or films of material then transferred onto reactive materials or bases. The researchers were used the experimental manufacturing technique to create a transparent graphene-oxide humidity sensor an expect that everything from biomedical sensors to touch-screens could be printed using the technique.

The University of Exeter is one of the world’s leading authorities on graphene, and this new research is just the latest step in our vision to help create a graphene-driven industrial revolution. High-quality, low cost graphene devices are an integral part of making this a reality, and our latest work is a truly significant advance that could unlock graphene’s true potential.Professor Monica Craciun, Associate Professor in Nanoscience

PHPMailer Vulnerability

PHP (PHP: Hypertext Preprocessor) Logo

A new Remote Code Execution (RCE) vulnerability has been reported on Christmas but details were only recently released. PHPMailer has already issued a patch (though they are not 100% confident in it), and WordPress (which uses PHPMailer) is considering issuing a security patch for current versions as well.

The vulnerability allows the FROM address, when passed as a variable into into PHPMailer with escaped shell arguments, will be passed to the mail function and allows an attacker to put executable code into the root.’

Note that as of now there are no known working exploits for this. Also note that this exploit may not work on all systems due to different mail functions being used having different arguments available.

Also, as long as the email address passed to the FROM variable is more strictly validated (not allowing the escaped quotes and whitespace in email addresses), it is not an issue. Some feel that the strictness of not following the RFC exactly will prevent valid emails but many point out that it would only block VERY FEW valid emails and argue that the RFC should not allow such characters – most well-known email systems do not allow such characters anyway.

The code that I write always validates the email using the filter_var function (which is strict and prevents the issue from occuring). I checked Gravity Forms and they also use the filer_var function. I don’t know about JetPack. It is also likely that, if they have not already, CloudFlare and WP Engine will add an input filter for this.

If you are using a custom build of PHPMailer in any extensions/add-ons or external code is is HIGHLY RECOMMENDED that you upgrade to PHPMailer version 5.2.18 or newer which has escaping added to the FROM address.

Yet Another Yahoo! Security Issue

The Yahoo! logo that was introduced in 2013 and features dual-tone purple/violet thin-walled lettering.

Yahoo! has fixed a major security flaw. This one was with their Yahoo! Mail email service that allowed an attacker to embed JavaScript in an email and have it execute. This would allow an attacker to gain access to all of a person’s email and Yahoo! account just by them opening an infected email.

How was it done? Yahoo!, like many other email services, strips HTML and most attributes from emails that are received. However, not all are filtered and normally it would not matter if JavaScript were embedded in an attribute – it needs to be encoded and won’t get executed anyway. However, thanks to the video and image previews that have been added in recent years (the ones that show YouTube or Vimeo video preview icons or previews of images attached to an email), some data-x attributes are used to allow the JavaScript Yahoo! wrote to generate a preview block:

Yahoo! Mail XSS Bug

So a security researcher thought… what would happen if I embedded a script inside the element data parameter? So he tried it:

What happened when he sent himself the infected email to his Yahoo! account?

Yahoo! Mail showing a popup generated from a received email

Uh oh…

But that is just some script embedded in an attribute, why is it getting converted to actual HTML? He began digging through Yahoo!’s JavaScript – the part that generates those video and image previews. He found a piece of code that was simply taking the contents of a couple of the parameters and embedding it within the page as HTML:

Oops…

With that kind of power an attacker could gain access to all of the emails from anyone that opened an infected email, send email as said user, or even do other actions with their account.

The researcher submitted the flaw prior to releasing the details and Yahoo! has fixed the issue.