This is likely to become a common occurence in the weeks ahead, as the bad guys figure out that WP and its ecosystem of plugins is a complete mess. Zero-day in WordPress SMTP plugin abused to reset admin account passwords | ZDNet
Hackers are resetting passwords for admin accounts on WordPress sites using a zero-day vulnerability in a popular WordPress plugin installed on more than 500,000 sites.
The zero-day was used in attacks over the past weeks and was patched on Monday.
But as they note, just because a patch is available doesn't mean that people will apply it. If you are running a WP instance make sure you update. If you are paying for hosting, make sure whoever is managing you site has updated. It is trivial to use the vulnerability in question.
There's a reason I don't allow write access under the webroot. It's a no-brainer. Just like making sure directory browsing is not enabled. How are you smart enough to create a popular plugin, but not smart enough to see the problem with writing log files where they are accessible by a web browser?
ReplyDeleteHow are you smart enough to create a popular plugin, but not smart enough to see the problem with writing log files where they are accessible by a web browser?
DeleteMajor manufacturers of routers bake in hard-coded back doors. (Or they did until they got caught a few years back)
Manufacturers of all kinds of IoT stuff (not just the cheap systems) sell hardware with embedded Unix or Linux or whatever systems that can't be updated.
Manufacturers of medical equipment - MRI, CAT scanners, etc. - don't do any checks to verify that software updates are legitimate before they blindly update and install them.
This kind of boneheaded disregard for security is sadly all too common. And this is not a minor WP plugin. 500,000 installations. Not all of those will be vulnerable, because they won't have directory listing enabled. But enough of them were set up that way to make it be an actual zero-day.
"Do you know how much security costs? What could go wrong?" said every executive ever.
I used to do a presentation about schedule versus cost versus quality. Used to be I could juggle a little bit. You can pick 2. You can meet your schedule at a low cost, but you probably won't be happy with the quality.