WordPress 4.0.1 – Critical WordPress XSS Update| InfoSec Handlers Diary Blog

Today, WordPress 4.0.1 was released, which addresses a critical XSS vulnerability (among other vulnerabilities). [1]

The XSS vulnerability deserves a bit more attention, as it is an all too common problem, and often underestimated. First of all, why is XSS “Critical”? It doesn’t allow direct data access like SQL Injection, and it doesn’t allow code execution on the server. Or does it?

XSS does allow an attacker to modify the HTML of the site. With that, the attacker can easily modify form tags (think about the login form, changing the URL it submits it’s data to) or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening.

The particular issue here was that WordPress allows some limited HTML tags in comments. This is always a very dangerous undertaking. The word press developers did attempt to implement the necessary safeguards. Only certain tags are allowed, and even for these tags, the code checked for unsafe attributes. Sadly, this check wasn’t done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.

InfoSec Handlers Diary Blog – Critical WordPress XSS Update.

New Site Recovers Files Locked by Cryptolocker Ransomware — Krebs on Security

Great news for those affected by the CryptoLocker virus.

But early Wednesday morning, two security firms – Milpitas, Calf. based FireEye and Fox-IT in the Netherlands — launched decryptcryptolocker.com, a site that victims can use to recover their files. Victims need to provide an email address and upload just one of the encrypted files from their computer, and the service will email a link that victims can use to download a recovery program to decrypt all of their scrambled files.

The free decryption service was made possible because Fox-IT was somehow able to recover the private keys that the cybercriminals who were running the CryptoLocker scam used on their own (not free) decryption service. Neither company is disclosing much about how exactly those keys were recovered other than to say that the opportunity arose as the crooks were attempting to recover from Operation Tovar, an international effort in June that sought to dismantle the infrastructure that CryptoLocker used to infect PCs.

 

New Site Recovers Files Locked by Cryptolocker Ransomware — Krebs on Security.

The price of data sovereignty? $33.5million | News.com.au

THE Australian Defence Force’s optometry service provider has been sacked after sending patients’ medical records offshore.

OPSM’s parent company Luxottica Retail Australia yesterday lost its $33.5 million contract with the ADF after sending Defence personnel’s optical claims information overseas for processing.

Full story here – Luxottica loses contract with ADF after sending diggers’ data offshore | News.com.au.

Why you should NEVER shrink your SQL data files | Paul S Randall

We were dealing with a client who had a very large database that was out growing their disk space.  Initial plan was to shrink the database to regain the almost 18GB of space that was not used anymore.  Started the shrink and found it was taking a very long time to complete.  Even worse when it completed performance was worse than before – even though the database was now smaller.  Strange!

It was at this moment that something snagged in my brain and I remembered something I had read about NEVER having AutoShrink and ONLY AS A LAST RESORT do a shrink. I  found the article and thought I would share it here:

From SQL Server Shrink

Shrinking of data files should be performed even more rarely, if at all. Here’s why – data file shrink causes *massive* index fragmentation. 

and

The only way to remove index fragmentation without causing data file growth again is to use DBCC INDEXDEFRAG or ALTER INDEX … REORGANIZE. These commands only require a single 8KB page of extra space, instead of needing to build a whole new index in the case of an index rebuild operation.

 

Valuable lesson learned!

Critical Update for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 | Microsoft

Important All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require this update to be installed. We recommend that you install this update on your Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2-based computer in order to receive continued future updates.

What this means is that unless you get this patch onto your client machines they will be unable to download and install security updates from May onwards… therefore you NEED TO GET THIS TESTED AND DEPLOYED OUT SOONER THAN LATER.

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Update April, 2014.