Today the Avast anti-virus company is warning about a vulnerability in a WordPress image-resizer.
In early October, researchers from AVAST were contacted by several users via the CommunityIQ system that http://www.theJournal.fr, the online site for The Poitou-Charentes Journal, had been infected… The infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market. “TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security,” said Mr. Sirmer. We’ve registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28 – 31 – the first three days that this infection surfaced – that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar.
Thing is, this vulnerability was found way back on 1 August by Mark Maunder:
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty…
Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable.
Zero Day Vulnerability in many WordPress Themes
And it was further discussed by Matt Mullenweg on 8 August:
Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes. Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications.
The TimThumb Saga
I don’t know how we do it, but somehow we need to convert researchers’ research into users’ use.
Tomorrow the Foreign Office will host an international conference on cyber security – and I would just love to be a fly on the wall of the closed sessions seeking to teach the world how to behave on the internet.
Britain will be there trying to explain the difference between British criminal rioters and other nations’ freedom fighters, and that we need international co-operation to allow Cameron to block social networks in the UK while protecting the free speech and free intercourse of freedom fighters in other countries.
France will be trying to sell its spyware to China.
The USA will be late to the table.
Germany will be trying to sell its spyware to China.
Australia and New Zealand will be hoping to learn how to control access to the internet from China.
The CIA will be offering its spyware free to China – but it includes a secret back door.
Russia won’t say much; it’s too busy looking for opportunities.
The EU won’t say much; it’s too afraid that the Euro’s begging bowl to China will be spurned.
France will still be trying to sell its spyware to China.
The USA will make a great public stand on the immutability of free speech, while quietly trying to explain to China that you don’t actually have to protect civil liberties, you just have to pretend to.
China will be inscrutable. It doesn’t give a hoot. Its way has clearly proved to be the best way – why change what ain’t broken? If other countries leave their intellectual property lying around on the internet, picking them up isn’t criminal, it’s just good business. And anyway, what would happen if China foreclosed on the rest of the world?
So what will we get from this conference? My suspicion is that everyone will agree, and nothing will change. Except, perhaps, I can see the IWF’s Cleanfeed becoming even more international, growing from child pornography and copyright infringement to include other categories, and becoming mandatory for many ISPs around the world. Except for China which has got its own.
Don’t you just love statistics? The security industry uses them extensively, but here’s a non-security example of why I love ‘em.
There’s a campaign here in the West Country to persuade all pensioners to retake their driving test, or at least take a refresher course. The argument is simple and an absolute clincher: one in five accidents are caused by pensioners.
But consider. Let’s say that pensioners are aged 65 to 80 (actually, here in the West Country they’re more likely to be 65 to 95 driving souped up Golfs). Anyway, 65 to 80 is fifteen years. The full driving span is 17 to 80; that is, 63 years; meaning that 48 years are occupied by pre-pensioners.
Now, according to the argument, one-fifth of accidents (20%) are caused by pensioners. So, in those 15 years, pensioners are responsible for a ratio of accidents to years (20/15); ie, 1.33. But pre-pensioners are responsible for a ratio of accidents to years (80/48); ie, 1.66. So, just on these figures, pre-pensioners are more likely to cause accidents than actual pensioners; and clearly it is we rather than they that need refresher courses.
The statisticians among us will say, whoa! you can’t prove that from those. You have an agenda, and you’re using statistics to prove it. But that’s my point. Statistics are never used for anything other than to justify a pre-determined course of action. Rightsholders twist piracy statistics to justify draconian copyright laws. Leftist governments twist economics to prove that we are better off under socialism. Rightist governments twist economics to prove that we need to do what is best for Big Business because it will benefit all of us (but them even more). All governments twist threat statistics to justify draconian anti-terrorist control laws. And of course some security companies twist cyberthreat statistics to persuade us to buy their product.
When offered statistical justification for something, bin the statistics. Base your course of action on your experience, your gut feeling, a pinch of logic and a dash of independent advice, and you’re more likely to choose the right course of action.