Wordpress - Zero Day Vulnerability Discovered

http://hackingdude.com/2015/04/29/wordpress-zero-day-vulnerability/

Most of the time, we have reported about WordPress vulnerabilities involving vulnerable plugins, but this time a Finnish security researcher has discovered a critical zero-day vulnerability in the core engine of the WordPress content management system.

I thought I'd post about this since the vulnerability is a bit unusual.  I also though it was a bit unusual that Wordpress reportedly ignored a previous vulnerability that the researcher reported to them.  Wordpress has a responsibility to it's users and for them to purposefully ignore such a discovery is wrong, in my opinion.

So, if you've Wordpress CMSs that you administer, I'd advise you to upgrade to v4.2.1 (I did a few days ago).

CVE-2015-0235: Linux and glibc "Ghost" Vulnerability

Wondering about the Linux Ghost vulnerability?

Here's what I received from the US CERT:

The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.
US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu and Red Hat. The GNU C Library versions 2.18 and laterare also available for experienced users and administrators to implement.

How to determine if your distribution is affect:  run "ldd --version".  If versions prior to v2.18 show in the results, you're vulnerable.

I used this link to check my Ubuntu servers.  Although, that resource doesn't cater to Slackware, the checks can still be applied.  I'm not using Slackware as a flavor at the moment, but I'm sure Pat V. is working on a patched version of glibc.  In fact, it would be wise to check your distribution's website for further news about this vulnerability and how to patch your particular flavor of Linux.

Facebook Computers Compromised - 0 Day Java Exploit

Facebook computers compromised by zero-day Java exploit

http://tinyurl.com/cwmvxrv
https://t.co/M46qJAiH

I'm still reading up on it but wanted to put it out there ASAP!

Skype and Adobe

It's been awhile since I've done this, but here it is:

First, Skype.  Apparently, Microsoft fixed an issue with Skype accounts being vulnerable to hijacking.  It only took them three (3) months to address the issue...

https://isc.sans.edu/diary/Skype+account+hijack+vulnerability+fixed/14512

http://countermeasures.trendmicro.eu/skype-vulnerability/

Next, there's been another password disclosure breach, this time affecting Adobe and connectusers.com users.  The compromise occurred via a SQL injection attack.

https://isc.sans.edu/diary.html?storyid=14515

http://arstechnica.com/security/2012/11/adobe-breach-reportedly-spills-easy-to-crack-password-hashes/ 


Note (LONG):

I posted the notifications on Facebook, as my friends and family use Skype.  I'm going to throw this out there right now:  I hate OSS zealots.  I had an acquaintance stir up some crap about "why are you using Skype", "why are you using Windows", "why are you giving the corporations your money/data".

Life is SHORT.  That goes for everyone, including the zealots.  I'm a fan of open source software, but I don't live the life of "down with M$".  Microsoft has a place in my life.  I game...a LOT.  I play the types of games that don't do well within virtual environments...there are no Linux equivalents of these games.  As well, complicated software that is difficult to keep running properly in Windows tends to be even more cumbersome on *nix.  

I know how to administer *nix and know it's strong points as well as weak points.  I know *nix very well.  I've never solely administered *nix for a living (I'm multi-disciplined), but I know it well enough to where I've been running *nix servers remotely without issue for YEARS.  I also tend to focus on security hardening on my *nix machines, moreso than the average *nix administrator (I'm a security consultant by trade).  So I know what I'm doing...I'm seasoned enough to know what to do and what not to do.

Now, I love *nix.  But there are different types of such love.  I love it but I also love gaming.  *nix won't do what I desire when it comes to the types of games I play, so in that regard it fails me.  You don't have to agree or disagree, because it won't matter what you think when it comes to *ME* and my computing usage.

As well, *nix can be high maintenance, depending on what's broken and your experience level.  I've told several of my relatives that have an interest in trying different operating systems that Linux could give them some freedom.  If they try it and find that it's not for them, I'm not going to continue pushing it down their throats.  That's not me.  I don't try to convince people (but I might nudge them if they're showing a serious interest)...that's the job of the product.  Also, the person doing the trying has to be open-minded and willing to learn new things.  I can help with that but I'm already pinged constantly, since most people think I'm a general tech support guy that they can call/e-mail at any time...I'm not going to administer their box for them. If you don't have the drive to help yourself a little and be willing to learn, *nix is NOT for you.

And, sometimes I just want stuff to work when I install it...without me fiddling with config files.  Remember, I've been working as a consultant the last 10 years in sometimes grueling or archaic work environments.  I do  NOT want to come home to the same crap.

Yes, I love smartphones.  Yes, I love Mac systems.  Yes, I'm OK with using Windows 7. 

This smacks of socialism (pushing people to adopt your version of the greater good...sharing everything, having extreme hate for commercialism).  Maybe I'm generalizing, but this is not the first time I've had someone berate me or try to push me to not use MS/this product/that company...like there's some code I'm supposed to be following as a *nix user.  For those that have issues with *nix guys using "M$" software, are you really going to bust a blood vessel worrying about what I'm using on *MY* LAN?

Lastly, regarding the "corporations are bad and will share your data as well as backdoor all apps and even the OS".  Bullshit.  Believe that crap if you want.  While I won't willingly give out my private data, I'm not going to live like an Amish person.  I won't live like I'm in a cave.  I'll lock down my data as much as I can, but I will not believe that all corporations are bad.  If you believe that, I guess you keep your life savings in your mattress....good for you if you do, but that's not me.