Update: Now that SOPA has been put on the back burner, the next thing to protest is the Anti-Counterfeiting Trade Agreement (ACTA), an international treaty which could have massive repercussions on the freedom of the internet.
Update 2 (5 July 2012): ACTA rejected by EU :)
Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.
Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.
If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.
This is my favorite anti-SOPA song so far:
WordPress.com (the blog hosting platform) was compromised by hackers using an undisclosed vulnerability. My guess is the attackers found an unpatched server somewhere, and used that to get into the environment. Information from Automattic is limited, but they’re assuming that source code and other information was probably stolen. Nobody has come forth to claim the hack, or post WordPress’ source code and account information online, Gawker-style.
If you have a blog on WordPress.com, I recommend changing your password there (and on any other site where you may have used the same password). If you host your own WordPress blog, there isn’t cause for concern just yet as there are many ways that the hackers could have gotten root access, so the vulnerability used may not be within the WordPress software itself.
I’ll update this post should any more information come to light.
WordPress have released a minor 3.1.1 update which patches an XSS flaw on the database upgrade screens. The change log also mentions a strengthening of security mechanisms relating to media uploads, and fixes to potential PHP crashes caused by complex hyperlinks. The update also includes a number of other security and bug fixes.
It’s a fairly minor update that shouldn’t break any plugins. Update when ready.
WordPress “Reinhardt” 3.1 has been released, with the bulk of changes focused on the admin interface and functionality. Key improvements include:
- A redesigned linking workflow
- A funky new admin bar (hopefully it’ll be possible to customize this one)
- A streamlined writing interface
I particularly like the new linking functionality, which simplifies linking to internal posts and pages on your site (screenshot below). No more having to find that page, and copy/paste the URL!
I was a bit apprehensive about updating, as it’s quite easy for plugins to break, and there’s no easy way to see the compatibility status of your plugins. If anyone feels up to it, I’d like to see a plugin that allows you to quickly check the compatibility status of all your installed plugins with regard to the next available version. That said, I updated, and it went flawlessly.
Other than that, this update does not have a significant impact in terms of security apart from the usual bug fixes.
WordPress 3.0.5 has been released, and is primarily a security update focusing on vulnerabilities which can be exploited through untrusted user accounts. This follows the recent 3.0.3 and 3.0.4 updates which were also security-focused. If your WordPress installation does not have any non-admin users, then this update is less urgent, however it is recommended that you update as soon as possible anyway.
Here is a description of the five main updates:
Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.
One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.
Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.
WordPress 3.1 is currently at RC4 and is expected to be officially released soon.
WordPress have released an update (3.0.4), dubbed “the most important security release of the year”, that patches a core security bug in the HTML sanitation library (KSES). KSES is responsible for filtering user input and, as such, is used to protect WordPress sites from attacks such as Cross-Site Scripting (XSS). XSS vulnerabilities were discovered, however the details of these are not available (see below).
They rate this release “critical”, and so it’s recommended that all WordPress sites update as soon as possible. The full changeset for the 3.0.4 update is here. Security researchers are invited to review these changes to ensure the vulnerabilities have been fully fixed. Spread the news if you have any friends with a WordPress blog!
[Updated] One stored XSS exploit for 3.0.3 is available here.