Security Week 51: a bug in WordPress 5.0 and Logitech software, Facebook photo vulnerability
Just a week after the release of a large release of WordPress 5.0, the developers of the world's most popular CMS released a patch covering a number of serious vulnerabilities ( news ). In total, seven gaps were closed, the most serious in some configurations of WordPress makes it possible for search engines to index the new user activation page. The URL of the page contains an activation key, because of which it becomes possible to leak user email addresses, and in some cases even passwords generated automatically.The problem was solved by transferring the identifier from the URL to the cookie. Vulnerability also affects version 4.x - version 4.9.9 has been released for those who for some reason are not ready to upgrade to WordPress 5.0. Three more XSS vulnerabilities theoretically allow already registered WordPress users to increase privileges, in one case, thanks to editing the comments of administrators. A vulnerability in PHP was also closed, allowing you to specify an arbitrary save path when loading a file. Researcher Sam Thomas spoke more at the BlackHat conference ( PDF ). A little more information about all closed vulnerabilities can be found in the Wordfence blog .
Facebook has leaked data again. Or they didn’t leak: last week the company told ( FB blog post news ) about a bug in the API that allowed third-party applications to access user photos. Error existed from 13 to 25 September. At this time, third-party applications that users have already given access to photos on Facebook, could generally apply to all images of the account. Under normal conditions, access is given only to photos that the user publishes in his chronicle. For almost two weeks, the API was open to photos from stories, photos from the flea market and more. The saddest thing is that there was access to private snapshots, even those that the user never published anywhere, but uploaded to the social network.
Under the distribution got 6.8 million users. After the well-known discussions about the privacy of data collected by the social network, every news about another security hole has attracted much attention. Although in this case, nothing overly awful happened: they made a bug, found it, fixed it. The previous problem with the function of viewing the page on behalf of another user was more serious. As usual, Facebook with its vulnerabilities is not alone: after finding another problem on Google+, they decided to close this unhappy social network even earlier than planned .
Researcher Tavis Ormandy from the Google Project Zero team published ( news , detailed report ) details of a bug in the Logitech keyboard utility. Vulnerability in the utility Logitech Options found in September, after which the manufacturer fixed the problem for a long time. And the problem is interesting. In general, this utility allows you to reassign the buttons on the keyboard at the request of the user, and quite unexpectedly it was to find an attack vector there. It nonetheless exists: the application listens to commands on a specific TCP port and does not check at all where they came from.
Thus, it becomes possible to remotely manage the utility using the prepared web page. A similar problem (albeit, a bit more simple to use) was once widely observed among routers: they could be remotely administered without the knowledge of the user opening the page in the browser. Through an unclosed network interface, you can change program settings, as well as transmit arbitrary sequences of characters on behalf of the keyboard, which theoretically can be used to gain control over the system.
The default utility runs when the system boots, which makes the problem even worse. The researcher published the information after the deadline, December 11. Two after this, Logitech has released an updated version of the program that seems to close the vulnerability. However, not everyone agrees with this statement.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.