WordPress Warns Of Trojanized Plug-Ins, Urges Patching

Strategic Security Survey: Global Threat, LocalPain
(click image for larger view and for full slideshow)WordPress on Tuesday warned all users who run its software on their own servers to beware a trio of malicious plug-ins for its content management software, which may have been available for download from the site for more than 24 hours.

“Earlier today the WordPress team noticed suspicious commits to several popular plugins–AddThis, WPtouch, and W3 Total Cache–containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory,” said a warning from Matt Mullenweg, founding developer of WordPress, released on Tuesday.

More Security Insights

White Papers

  • Notebook and Netbook Adoption
  • CIO Strategies for Consumerization: The Future of Enterprise Mobile Computing

Reports

Videos

We spoke with Chris Sather, Product Management for Network Defense at McAfee about McAfee's next generation firewalls that analyze relationships and not protocols.PGP CEO Phil Dunkleberger talks to us about the latest Ponemon research data, which will show a higher cost from legal fees and targeted malware.PGP CEO Phil Dunkleberger talks about the newest features of PGP, and some of the trends driving where its technology is going.

Plug-ins extend WordPress functionality, and the ones called out in the security warning offer an interface with social networking sites (AddThis), mobile and iPad versions of WordPress blogs (WPtouch), and server performance enhancements (W3 Total Cache). AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million times.

Mullenweg said that while an investigation is underway and there’s no evidence that attackers compromised the WordPress site, WordPress just to be safe has forcibly reset all passwords for WordPress.org, which is the site where users can download WordPress. “To use the forums, [development site] Trac, or commit to a plugin or theme, you’ll need to reset your password to a new one”–by using the log-in page–said Mullenweg.




In addition, he said that any users of the three Trojanized plug-ins who updated them “in the past day” (meaning Monday or Tuesday) should upgrade those plug-ins immediately.

Plug-ins, malicious or otherwise, continue to account for an increasing number of vulnerabilities seen in applications, both on PCs (for example, with browsers) and in Web applications (such as WordPress). In terms of WordPress, plug-ins now account for 80% of all WordPress-related vulnerabilities, according to HP DVLabs.

But some plug-in vulnerabilities are worse than others. “Web-based backdoors can be extremely dangerous,” said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. “If you’re a WordPress user, you’ll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as “site.example/wp-admin.” A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you.”

Another danger is that if attackers managed to steal WordPress passwords, they might attempt to use them to access other sites. According to Mullenweg, “as a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.”

Unfortunately, password reuse remains rampant as numerous, recent attacks have shown, such as when LulzSec released stolen databases containing usernames and passwords–such as the release of 37,608 SonyPictures.com passwords, which researchers have cross-referenced with other leaked databases.

Small and midsize businesses are falling prey to cyberattacks that cost them sensitive data, productivity, and corporate accounts cleaned out by sophisticated banking Trojans. In this report, we explain what makes these threats so menacing, and share best practices to defend against them. Download it now. (Free registration required.)

Article source: http://www.informationweek.com/news/security/vulnerabilities/231000230

Leave a Reply