WordPress 4.7.1 Updates for 8 Security Issues

Just over a month after the first WordPress 4.7 release, new incremental update debuts fixing 62 bugs, including a security flaw in the popular PHPMailer email library that was first publicly reported in December 2016.
WordPress 4.7.1 was officially released on Jan. 11, providing users of the popular open-source content management system with an incremental update fixing 62 bugs and 8 security issues.

The WordPress 4.7.1 update follows the release of WordPress 4.7 codenamed ‘Vaughan’ that debuted on Dec. 6, 2016. Just over a month since its release, WordPress 4.7 has over 16 million downloads, according to WordPress.
Those millions of users began to receive notifications yesterday that their sites were being updated. Since the WordPress 3.7 release in October 2013, the open-source CMS has provided its users with an automatic updating system for incremental releases.
幽灵肥皂剧导致韩国多家金融及广电公司受到攻击
The most noteworthy security fix in the WordPress 4.7.1 update is for a vulnerability that isn’t actually within WordPress’ own code, but rather in open-source code from the PHPMailer library. PHPMailer is an email creation and transfer library for PHP that is used by WordPress.
The PHPMailer vulnerability is a Remote Code Execution (RCE) identified as CVE-2016-10033, that was first publicly reported by security researcher Dawid Golunski on Dec. 25, 2016.
“Research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve emote arbitrary code execution in the context of the web server user and remotely compromise the target web application,” Golunski wrote in his disclosure.
The PHPMailer open-source project issued an update for the CVE-10033 vulnerability on Dec. 24, 2016, though it turned out to not fully fix the issue. As a result, Golunski was still able to bypass PHPMailer’s patch in a vulnerability identified as CVE-2016-10045, which in turn was patched by the PHPMailer 5.2.20 release on Dec. 28, 2016.
As to why WordPress did not update sooner for the PHPMailer issue, it’s simply due to the fact that WordPress developers didn’t see the vulnerability as directly being able to impact WordPress.
“Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress and wp_mail() does not use,” WordPress Lead Developer, Dion Hulse wrote in a comment on the bug tracker for the flaw.
The WordPress 4.7.1 release notes, “no specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.”
In addition to the PHPMailer update, there was an information leakage flaw with the REST API that could have potentially exposed user data. The WordPress 4.7.1 update also provides patches for two different Cross-Site Scripting (XSS) vulnerabilities as well as a pair of Cross-Site Request Forgery (CSRF) flaws.
The other two security issues fixed in the WordPress 4.7.1 update including a configuration change in how the CMS allows users to post a story via email and a fix for a weak cryptographic security used to activate a multi-site deployment of WordPress.
手机实名有利于打击恶意广告及电信诈骗,有利于和谐社会的建立,尽管这对解决当前社会的重要尖锐问题帮助微小,也是值得肯定的。
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
现在几乎没有人会否认信息安全的重要性。毫无疑问,在未来的几年内,组织要拿出一定量的投资用于信息安全,确保使用积极的安全策略应对不断出现的安全威胁。

猜您喜欢

“鸡蛋撞地球” 撞出智慧和创意
即时通讯安全动画——西餐惊魂
中国企业试探海外,培养跨国人才,管控海外风险需高招:
治国理政
USER MADPENGUIN
信息安全职业发展的顶级职位与职责