Factoids

From iThemes

Did you know that 60% of website breaches involve vulnerabilities for which a patch was available but not applied? This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.

 

Our friends at Cloudflare recently revealed that hacking and phishing attempts have been up by 37% and, on some days, they are blocking between four and six times the number of attacks they would usually see, since the start of the COVID-19 pandemic.

Unfortunately, this means the risk to your website has significantly grown … and that’s why having a solid WordPress security strategy is more important than ever.

Vulnerability Disclosures Drop in Q1 for First Time in a Decade

And now for some good news:

Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.

The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.

Full story at https://www.darkreading.com

iOS Mail Zero-day

UPDATE: A patch has been issued in iOS 13.4.5 beta, with an expected final release soon.  No word on patches for earlier iOS versions.

Source: https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/

A zero-day exploit has been discovered in the iOS Mail app.  The security hole has existed as far back as iOS 6 (September 2012), and extends to the current iOS (13.x).

As of today (4/22/2020) this has NOT been patched.  It is recommended that you DISABLE iOS mail at this time.

We advise that you update as soon as an iOS patch is available.

Full details at https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

 

Malware redirecting visitors found on 2,000 WordPress sites

More than 2,000 WordPress sites have been infected with malicious JavaScript that redirects visitors to scam websites and sets the stage for additional malware to be downloaded at a later time.

The Sucuri team said access is gained to WordPress sites through plugin vulnerabilities, including Simple Fields and CP Contact Form with PayPal. [ed note: None of the sites we manage are subject to these infections, as the security plugins we use protect against exploits of this type. And no sites under our management currently use the known vulnerable plugins. ] A large uptick in this activity was picked up during the third week of January.

Source:  https://www.scmagazine.com/home/security-news/malware/malware-redirecting-visitors-found-on-2000-wordpress-sites/?fbclid=IwAR3dUryf3c0OOK4VGXJsOhTSdPkik70RF0-5Tsg4rfmPgfyl6NLtEie8ViE

Hacker Uses NSA-Discovered Vulnerability In Windows To Spoof NSA

As a part of its latest Patch Tuesday update, Microsoft fixed a critical Windows 10 CryptoAPI vulnerability (CVE-2020-0601) that was discovered by the National Security Agency (NSA).

However, a security researcher named Saleem Rashid didn’t take much time to demonstrate the havoc it could have caused – in a funny way, though.

The researcher rickrolled the NSA and GitHub by spoofing their HTTPS-secured websites and showed how anyone could masquerade them. Rickrolling is a familiar gesture used to demo security flaws by playing Rick Astley’s music video “Never Gonna Give You Up,” which Rashid did on the websites of NSA and GitHub.

Affected Windows versions can be secured using the patch that’s already available. So, it’s recommended that you install it if haven’t done it already. At the same time, Google is also in the process of pushing a fix for Chrome that is currently being tested in beta releases.

Full story

WordPress Upgrades to 5.3

5.3 expands and refines the block editor with more intuitive interactions and improved accessibility. New features in the editor increase design freedoms, provide additional layout options and style variations to allow designers more control over the look of a site.

This release also introduces the Twenty Twenty theme giving the user more design flexibility and integration with the block editor.

More details at https://wordpress.org/news/2019/11/kirk/

WordPress Updates – New PHP Requirements

WordPress released two upgrades this month. Both of them require that your server is using PHP 5.6 or later. If you don’t see upgrades to WordPress 5.2 or 5.2.1 in the lists below, it’s possible you are still on an earlier version of PHP. If that’s the case, we have you on our radar and will be contacting you or your webhost about upgrading the PHP on your site in the near future. Neither are specifically addressing any security issues, fortunately.

All sites now updated to WordPress 5.x

We had initially held off on updates of some sites to WordPress 5.x due to concerns of potential problems with the new Gutenberg editor and questions about compatibility with some older themes.

We’re happy to announce that all sites we manage have now been updated. Many sites are currently set up with the Classic Editor plugin, which allow you to continue to write posts and pages in the way that you’re familiar with. We recommend that you familiarize yourself with the new Gutenberg editor by temporarily deactivating the Classic Editor plugin and giving Gutenberg a try. Classic editing will only be supported for about 2 years.

Learn more about Gutenberg here:

https://wordpress.org/gutenberg/handbook/

and here:

https://www.codeinwp.com/blog/wordpress-gutenberg-guide/