Normally I wait for sometime before upgrading WordPress installations. But this time I jumped to WordPress 2.5 when I came across serious security issues in 2.2.x series. Some of my blogs which ran under 2.2.x versions were badly hacked and I had to spend a lot of time recovering them! The hacker modified most of my posts and cleverly inserted hidden links. Also he installed a backdoor php file in the current template folder! This ensured that even after upgrade he can control my WordPress blog.

I detected the problem only when I realized that my blog is no longer in the Google search index!

The WordPress hacking became so widespread that Technorati has special process in place to quarantine infected/hacked WordPress blogs! There are reports of WordPress 2.5 vulnerability, but it is better to upgrade to 2.5 than stick with 2.3.3. The important thing is to upgrade as soon as a release is out rather than cling to a version for which hacking scripts may be sold in warez forums! So I am keeping my thumb on the WordPress upgrade button waiting for 2.5.1 

After the upgrade I came across an interesting  issue when I tried to post through Windows Live Writer. It responded with an error message - Invalid response document returned from XmlRpc server. I initially thought that it is a bug with Windows Live writer and compatibility issue with WordPress 2.5. Then I tried posting the same from the WordPress admin. When I tried to upload an image I got the following error,

- Fatal error: Call to undefined function wp_constrain_dimensions.

Then I realized there is some problem with the WordPress 2.5 upgrade. Here is how I resolved the problem. First I deleted all the php files in the WordPress root folder (except wp-config.php) and then deleted wp-admin and wp-includes folder. After ensuring that all old files are deleted, I uploaded WordPress 2.5 files again. That resolved the issue with Windows Live Writer!

Mark Dowd has detected a serious security flaw in the Adobe flash plugin which allows an attacker to take complete control of a computer . Adobe Flash Player 9.0.115.0 and earlier are affected by this critical issue. Flex 3.0 and AIR 1.0 which uses flash are also affected.  Flash plugin is installed in various browsers(Firefox, Internet Explorer etc.) and is heavily used by Web 2.0 sites such as YouTube for video streaming. This exploit makes use of the NULL pointer attack to even modify the flash executable!  In the hands of a malicious programmer, this knowledge can quickly turn to a big disaster.

Vulnerabilities in various online software is nothing new. For example, various vulnerabilities are continuously found in WordPress and various WordPress plugins. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running! An attacker can run a torrent site or a game site and then embed a malicious flash file in it. When you access the site, the flash file gets executed and it will use the exploit to get hold of your system!

Mark Dowd is a researcher in IBM Internet Security Systems and wrote the flash exploit details in a document titled “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine”. This can be download from here. According to the article, even Windows Vista is vulnerable to this exploit!

Vista’s ASLR features require that the binary is compiled with the / dynamicbase switch available on recent Microsoft compilers. Essentially, using this switch sets a flag in the PE header (0×40 in the DllCharactersitics member of the optional header) that will indicate that the binary should receive a random base address when loaded. Since flash does not use this switch, ASLR does not cause the Flash DLL to be moved in memory in Windows Vista, and hence can still be reliably exploited. Combining this with the previous point, it is possible to generate an SWF file that will reliably exploit both IE and Firefox on all recent versions of the Windows operating system, including Vista.

For a detailed step by step look at Dowd’s flash exploit, check out this article. It is long, but is a gold mine for future cyber criminals!

Adobe was quick to address this flash security issue and has released a patch for it on April 8, 2008. According to the patch summary,

Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.

Due to the possibility that these security enhancements and changes may impact existing Flash content, content developers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.

That means some of the flash files out there may not work after the patch is installed.

Flash supports auto updates and hence the security patch should get auto installed. But there is no guarantee. There will be thousands of browsers where the auto update is disabled and hence are vulnerable to this attack. Even if auto update is enabled, many would be cancelling it not knowing the seriousness of it.

This incident raises another question. Is it safe to browse Web sites? The answer is - It is relatively safe if you avoid browsing suspicious Web sites. There could be other vulnerabilities that are found by cyber criminals and are being exploited through keygen/serial key sites or torrent sites.

References

1. IBM article on Flash player invalid pointer vulnerability

2. Mark Dowd’s research paper on ActionScript VM (PDF)

3. Detailed look at Mark Dowd’s research paper

4. Flash player security patch from Adobe