More than 1 million WordPress websites imperiled by critical plugin bug

More than one million websites that run on the WordPress content management application run the risk on being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.

Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.

"If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)."

Read 2 remaining paragraphs | Comments

Samba Remote Code Execution Vulnerability

Original release date: February 24, 2015

Linux and Unix based operating systems employing Samba versions 3.5.0 through 4.2.0rc4 contain a vulnerability in the Server Message Block daemon (smbd). Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

US-CERT recommends users and administrators refer to their respective Linux OS vendor(s) for an appropriate patch if affected. Patches are currently available from Debian, Red Hat, Suse, and Ubuntu. A Samba patch is available for experienced users and administrators to implement.

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

Original release date: February 24, 2015

The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox, Firefox ESR, and Thunderbird. Exploitation of these vulnerabilities may allow a remote attacker to obtain sensitive information or execute arbitrary code on an affected system.

Updates available include:

  • Firefox 36
  • Firefox ESR 31.5
  • Thunderbird 31.5

Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR, and Thunderbird and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Tax firm H&R Block doesn’t verify client’s e-mail, leaks personal info

With tax season in full swing, it's time for the yearly reminder that the security practices of many tax-preparation services are lacking. Case in point: H&R Block's reported failure to confirm the e-mail addresses of at least some of its online account holders. The lapse was reported to Ars by reader Aaron Johnson, who said H&R Block in recent days has e-mailed him the name, address, and security question of a complete stranger. Johnson said he is confident he has everything he needs to access this person's account, steal his most valuable personal data, and hijack any owed tax returns. We created an account at H&R Block and were not asked to authenticate the e-mail address we used. The stranger happens to share Johnson's first and last name, and for reasons that aren't entirely clear, the alter ego occasionally uses Johnson's e-mail address when creating accounts. At no point, Johnson said, did he receive an e-mail from H&R Block requiring him to confirm that his e-mail address was connected to the other person's account.
Read 2 remaining paragraphs