Orangeinks

WordPress 2.3.3 Urgent Update

A security flaw has been discovered in the XML- RPC implementation. XML-RPC is a spec and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet. The update fixes the flaw that allows a user to edit post in your blog by doing a specially crafted request.  Enough with the technical details, if you are using WordPress and have your user registration enabled then you should update your hosted WordPress. This will prevent registered users in your blog from editing your posts.

The update also includes some bug fixes:

• gettext fails to determine byteorder on 64bit systems with php5.2.1
• some registration emails fail in 2.3.1 b/c of “callout verification”
• maybe_create_table call to config.php issue

WordPress also reported a vulnerability in the WP-Forum plugin that is being actively exploited right now. WP-Forum is a WordPress plugin that enables you to have a forum directly attached to your WordPress installation.  If you are using this plugin, it is strongly recommended that you remove it until an update is available from its author.

Tags: critical, flaw, Plugin, security, update, wordpress, wp-forum

Yahoo CAPTCHA Cracked By Russians

CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart), is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can’t:

The Yahoo! CAPTCHA being the most difficult CAPTCHA to crack found itself vulnerable to a team of Russian hackers who found a way to read the CAPTCHA with 35% accuracy. Yahoo! Captcha utilizes bended alpha numeric characters and other features that one might expect from a strong CAPTCHA, but is still recognizable by humans.

This is what the hackers said about Yahoo! CAPTCHA:

The CAPTCHA has a vulnerability we’ll discuss later. It’s not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100.000 tries per day, taking into the consideration the price of not automated recognition – one cent per one CAPTCHA.

This is an alarming issue for everybody. This kind of vulnerability will allow more emails to be registered automatically and can be used for phishing spam and fraud. This will clearly have a great negative impact on the online community and businesses. They must find new ways to improve CAPTCHA. Maybe we’ll be seeing some form of evolution in CAPTCHA, what are those billion dollar companies paying their programmers and developers for anyway. If this is not resolved quickly, we can expect automated online businesses, blogs, and any site that utilizes CAPTCHA to take extra effort in making sure that they are safe from spam by checking their comments and transactions manually.

Source: geeksaresexy

Tags: captcha, flaw, security, spam, Yahoo