Release: WordPress 4.7.1

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress, the open-source blogging and CMS platform, has released version 4.7.1, a security update to version 4.7.

The update fixes eight (8) major security issues as well as sixty-two (62) other various bugs found in 4.7.

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  5. Cross-site scripting (XSS) via theme name fallback.
  6. Post via email checks mail.example.com if default settings aren’t changed.
    A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
  7. Weak cryptographic security for multisite activation key.

It is strongly encouraged that you update your version of WordPress as soon as possible to avoid possible exploitations. As always, I also encourage everyone to read through the changelog to see what was fixed or what could be a potential issue in the future.

WordPress 4.7.1 Security and Maintenance Release

Firefox: Stolen and Fixed

Mozilla Firefox web browser logo: an orange fox with yellow flames for a tail wrapped around a dark-blue globe.

Mozilla, an open-source software community run by the non-profit organization, Mozilla Corporation, and developers of the Firefox web browser, has announced it’s bug tracking software, Bugzilla, was hacked. The organization’s blog post states that the account that was compromised had access to privately-listed bugs representing zero-day security flaws in the browser. However, if you keep your browser up-to-date you are protected. The zero-day flaws that were stolen were all patched as part of version 40.0.3 released August 27, 2015. The post does not state the date that the account was compromised.

Green bug being swept up by a broom. Icon / clip-art.
By Poznaniak, pozostali autorzy w plikach źródłowych via Wikimedia Commons

This should definitely be a wake-up call for you to keep the software you use up-to-date. Many applications today will automatically update (including the more recent versions of Firefox) but some do not. In addition to keeping you safe from security flaws, the latest versions of programs also deliver features that make using the software more enjoyable and sometimes easier. In the case of web browsers, it also delivers new tools for web developers to use to make better web applications and websites that are more visually appealing and interactive.

More Information

More detailed explanation of why you should take the time to ensure the software you use is up-to-date will be in an upcoming post! I will link the post here.