Another security update…

There has been another security update, so here is a brief run-down (this one is simpler than the previous one:)

What we did about it

We have installed the upgrade, which updated the two third-party libraries which had newly-discovered vulnerabilities.

What the vulnerability was

There were two, separate, vulnerabilities; both were in third-party tools used in WordPress.

The first issue was in Plupload, a tool used for managing file uploads, which in certain circumstances could allow a remote person to perform actions on the site which the user did not initiate. This is called a Same Origin Method Execution (SOME) vulnerability. In this case other security measures in WordPress limited the risk, and it only affected the 4.5.1 release, therefore not a high-profile (but still high-priority) issue.

The second issue was in MediaElement.js, a tool used in WordPress to stream audio and video content through WordPress syntax. This was Cross-Site Scripting (XSS) vulnerability, and there was little mitigation of the risk, and so both a high-profile and high-priority issue. Effectively a maliciously formed url could be fed into the javascript and the remote person could execute code on the server.

What this means for you

Nothing, as far as we are aware. The issues are completely fixed.

However, it exposed that WordPress is not strictly using HTML5 audio and video. Everyone on the internet should be using a modern browser which supports HTML5; there are inherent risks to older browsers which simply cannot prevent certain types of internet security and privacy attacks which have been resolved in newer browsers. By supporting old, vulnerable browsers (by using MediaElement.js) WordPress is enabling users to continue being at risk rather than encouraging them to update/upgrade.

Upgrades and vulnerabilities

WordPress released a recent upgrade to address a security issue[1], and also warned operators of servers using ImageMagick of security issues possible when processing insecure images[2].

What we did about it has upgraded to the current stable version (we always do, usually within minutes of the release.) We have also addressed the so-called “ImageTragick”[3] vulnerability in the ways currently suggested by the ImageMagick developers. But, just for your own peace of mind (and ours!), please ensure that your regional site does not allow users, forum posters, or commentors to upload photos. Also, please do not ‘upload’ images using urls as this is another vector for this exploit to be used. If you are using the PressThis tool to republish articles from the internet, this is another way to infect your site.

What the vulnerability was

The issue addressed by WordPress potentially allowed someone to run a script in a visitor’s browser when displaying/streaming certain kinds of media. Obviously could not directly affect your website, but it could get your site blacklisted as a source of malicious scripts even though it wasn’t really your site doing the harm to the visitor. This is completely fixed by the security update.

The issue with ImageMagick potentially allowed remote code execution (RCE) on the server. When images are used in WordPress they are processed in various ways using ImageMagick – to create thumbnails, or change a photo’s dimensions, or in other ways – and during that processing ImageMagick could be convinced to execute instructions on the server. This could in theory do almost anything the webserver has the ability to do, including severely harming your site or the webserver itself. This is not completely fixed by the security update from ImageMagick, and so the vulnerable portions of ImageMagick have been disabled. Most likely this will not affect your site, but be aware of possible issues if you use .svg or .mvg graphics. There are known attempts to use this exploit in the wild, but sites should no longer be vulnerable.

What this means for you

Nothing, as far as we are aware. When a more-complete fix for ImageMagick is available we will re-enable the possibly vulnerable portions again. In the meantime, if you have any issues with any media on your site (especially media which do not resize correctly) please use the secure contact form to get in touch with us immediately.

[1] WordPress 4.5.2 Security Release
[2] ImagMagick Vulnerability Information
[3] ImageTragick