Joomla users: Update immediately to kill severe SQLi vulnerability
Written by net-security.org   
Thursday, 18 May 2017 08:11

Version 3.7 of Joomla, pushed out less than a month ago, opens websites to SQL injection attacks, Sucury Security researchers have found.

joomla SQLi vulnerability

As explained by researcher Marc-Alexandre Montpas: “The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7. This vulnerable component is publicly accessible, which means this issue can be exploited by any malicious individual visiting your site.”

Sucuri has published technical details[1] about the vulnerability on Wednesday, in the wake of the release of Joomla 3.7.1[2], which fixes this severe issue and several other bugs.

The SQLi vulnerability (CVE-2017-8917) is easy to exploit, and can be exploited remotely.

“Given the nature of SQL Injection attacks, there are many ways an attacker could cause harm – examples include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen),” Montpas noted.

Joomla is the second-most widely used[3] open source content management system in the world. While the number of sites powered by it is dwarfed by that of sites running on WordPress, it is still considerable.

This popularity is a boon to attackers, who are quick to exploit public vulnerability information and the fact that many administrators are slow to upgrade, as evidenced many[4] times[5] before.

“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now,” Montpas advised.

References

  1. ^ technical details (blog.sucuri.net)
  2. ^ Joomla 3.7.1 (downloads.joomla.org)
  3. ^ second-most widely used (w3techs.com)
  4. ^ many (www.helpnetsecurity.com)
  5. ^ times (www.helpnetsecurity.com)
 
WannaCry is a painful reminder of why enterprises must stay current on software updates
Written by net-security.org   
Thursday, 18 May 2017 07:53

stay current software updatesWannaCry[1] is a wake-up call for the excessive numbers of companies needlessly dragging their feet over Windows 10 migrations. Certainly since Friday, we’ve seen an upswing in interest from companies hoping – suddenly – to accelerate the migration process[2], or automate their patching processes.

No doubt about it, the attacks gave a vivid illustration of something we have been saying for some time: stay current on your software updates. By running a very out-of-date operating system like Windows XP, Britain’s NHS and thousands of other companies left themselves wide open to attack.

The NHS might be thought to present a special case in a number of ways – it’s a government organization, it runs medical devices, etc. What does the bigger picture look like, regarding OS deployments in large organizations? Well, last month, we released a report, The State of the Migration: Enterprise Windows 10 in 2017, based on a survey of more than 1,000 U.S. IT professionals.

We wanted to know – specifically – where everyone’s Windows 10 migration[3] was at, how long they were taking (or were expected to take), and how they were planning to get there.

Certainly, the wider migration to enterprise Windows 10 is in motion. However only 6% of respondents from companies of 50,000+ employees said migration was complete, and 64% of respondents said that they expected their company’s Windows 10 rollout to take more than a year. That’s a long time when you consider exposure to things like WannaCry that are addressed by the 17 (and counting) new security features in Win 10.

The irony is, then, that even in their effort to ‘stay current,’ and get onto a more secure operating system in the form of Windows 10, the length of time required to complete the upgrade – coupled with the rapid release cadence of Windows 10 – means that large organizations can easily end up running multiple versions of the operating system at once, including several desperately out-of-date ones.

Having an up-to-date operating system is crucial, of course. There are no guarantees, but in features such as Device Guard, Credential Guard and Secure Boot, users are safeguarded by additional lines of defense simply not available on Windows 7 (let alone XP). Windows 10 shouldn’t just be construed as a hurdle to get over, however. Getting there also presents an opportunity for a smoother, more automated IT infrastructure that safeguards against the kind of anachronism and vulnerability WannaCry has taken advantage of.

What is required here is no less than a cultural shift in the heart of enterprise IT. Organizations who are of the mindset that software updates, patches and upgrades can be delayed need to instead make it a habit to implement updates as soon as they are available. Newer versions of software mean more secure software, yes, but it also means better software. Your enterprise has paid for it, after all, why not take advantage of it?

Yes the update process can look frighteningly expensive and time consuming. But that’s when automation can and should be called upon. Automation can ensure updates run like clockwork, without disrupting the business. An automated OS deployment leaves you with an infrastructure able to keep up with other software updates, and vice-versa. In addition, when all updates are in place, large migrations such as the one to Windows 10 become much easier.

No one is trying to convince anyone that this kind of cultural shift is itself a cure-all. But it will make companies a hell of a lot more secure, and may protect yours from the next variation of WannaCry.

What should companies do now, today, in the face of the WannaCry threat? As you read this, your Board of Directors is probably asking your CEO what’s being done to reduce exposure[4]. Your CEO will in turn ask the CIO, who may in turn ask you. Here’s what we recommend:

  • Make sure you have a process in place to periodically report on whether software on all devices is current or not. As part of this, look at which software was purchased and which was not. The software your organization purchased is less likely to be a security risk, so focus on the rest first. And specifically look for devices running SMB1 and disable them.
  • Put in place the systems required to automate future software updates. Taking this off of IT’s plate leaves them with time to focus on non-routine things, and ensures updates are completed in a timely matter rather than delayed by other priorities requiring IT bodies.
  • Inevitably, hackers will still get through – make sure you have the ability to respond to threats – by issuing patches, for instance – in real time across all devices, rather than in waves over the course of days or weeks.

References

  1. ^ WannaCry (www.helpnetsecurity.com)
  2. ^ accelerate the migration process (www.helpnetsecurity.com)
  3. ^ Windows 10 migration (www.helpnetsecurity.com)
  4. ^ what’s being done to reduce exposure (www.helpnetsecurity.com)
 
<< Start < Prev 11 12 13 14 15 16 17 18 19 20 Next > End >>

Page 11 of 20