h4ck3r _ N3w5

Death is always painful, but its pains compounded considerably if its cause is suicide. When a suicide occurs, we aren’t just left with the loss of a person, but we’re also left with a legacy of anger, second-guessing, and fearful anxiety. Like in the case of the great Internet Activist Aaron Swartz.

Aaron Hillel Swartz, an eclectic persona, was a self-taught programmer, Internet activist, co-founder of the popular social news website Reddit, founder of the organization Demand Progress and an activist who helped create the RSS feed format. In Fact, this isn’t enough to define The Internet’s Own Boy Aaron Swartz, who crafted the Internet we know today.

Aaron Swartz committed suicide last year (when he was just a 26-year-old) after being threatened with the possibility of at least 35-year prison sentence and $4 million in fines by the Court for downloading millions of academic journal articles illegally over the digital library Jstor from MIT, with no bad intention other than possibly releasing them into the public domain, open access.

Aaron’s suicide raises the question on the U.S. computer crime laws and related punishment regimes. Many activists and ordinary people are feast of the inadequacy of punishment when compared to other crimes. The cyber world is complex and even more is the judgment.

Tim Berners-Lee, the father of the World Wide Web, wrote on Twitter. “Aaron dead. World wanderers, we have lost a wise elder. Hackers for right, we are one down. Parents all, we have lost a child. Let us weep.”

Now, his story is the subject of a documentary film released last Friday. “The Internet’s Own Boy – The story of Aaron Swartz”, directed by Brian Knappenberger, a filmmaker who chronicled several stages of late computer prodigy Aaron Swartz’s life.

Brian Knappenberger thinks the legal system is largely to blame for the young digital Activist’s suicide.

“Certainly there were many factors, but this two-year legal nightmare that he went through — you can’t ignore that,” said Brian Knappenberger. “He was exhausted financially and emotionally. He killed himself within a few days of his initial arrest. I don’t think that’s a coincidence, exactly.”

This 105 minute documentary film is a perfect story that depicts Aaron Swartz’s Life and a tragic death at the age of 26. Knappenberger brought the view of the film via interviews with Swartz’s family, friends and allies.

Aaron’s involvement in the field of Internet Right when he was teenager, the development of RSS feed, the development of social news website Reddit and Creative Commons is beautifully presented in the movie.

This is a very emotional story based on Aaron’s life and is really worth watching. It’s a remarkable story that give you a close look at Aaron’s evolution from a bright child to a driven activist with prescient concerns about social justice, freedom of information and the fight for transparency in government and corruption.

WATCH ONLINE OR DOWNLOAD

The Creative Commons-licensed version of The Internet’s Own Boy is now available on the Internet Archive, which is useful for those outside the US, who are unable to pay to watch the film online. The Internet Archive offers the film available to download in MPEG 4 or Ogg format. Torrent download of the film also available.

via The Hacker News http://ift.tt/1iMmAsN

A Remote code execution (RCE) vulnerability has been discovered in the comment and discussion service, Disqus plugin for the most popular Blogging Platform WordPress.
While there are more than 70 million websites on the Internet currently running WordPress, about 1.3 million of them use the ‘Disqus Comment System’ Plugin, making it one of the popular plugins of WordPress for web comments and discussions.
The security team at the security firm Sucuri discovered a critical Remote Code Execution (RCE) flaw while analyzing some custom JSON parser of the Disqus plugin and found that the variable parsing function could allow anyone to execute commands on the server using insecurely coded PHP eval() function.

WHO ARE VULNERABLE

The Remote Code Execution (RCE) Vulnerability could be triggered by a remote attacker, only if it is using following application versions on the server/website.

• PHP version 5.1.6 or earlier
• WordPress 3.1.4 or earlier
• WordPress Plugin Disqus Comment System 2.75 or earlier

HOW TO EXPLOIT DISQUS

For successful exploitation an attacker can push its custom payload, for example {${phpinfo()}} as a comment on the targeted post/page and then he only need to open the following ‘Comment Synchronization’ url with the targeted post ID in order to take advantage of the vulnerability.

http://ift.tt/1ptYcfF

“While the flaw itself is very dangerous” reads the blog post. “That’s it, looks simple right? So if you are using an outdated version of WordPress/PHP, you need to update Disqus asap.”

At the beginning of the month, the same security researchers’ team at Sucuri, discovered a critical vulnerability in the content management platform, All in One SEO Pack, a plugin that optimizes WordPress for search engines, which potentially left millions of websites vulnerable to the attackers.

HOW TO PATCH VULNERABILITY

If left unpatched, the flaw could allow any potential attacker to do anything he wants with a vulnerable website. So, it is highly recommended to those using an outdated versions of WordPress, Disqus Comment Plugin 2.76 and PHP to upgrade to the latest version as soon as possible.

WordPress users should be able to update their Disqus plugin by signing into their WordPress administrative panel > Disqus Comment System plugin > drop-down at the top or bottom of the page > click “Update.” Users can also manually update the plugin by overwriting the plugin files directly into the WordPress’ plugin directory.

Also read: Zero-Day TimThumb WebShot Vulnerability leaves Thousands of WordPress Blogs at Risk.

via The Hacker News http://ift.tt/1jBFH3n

Just a few hours ago, the Official website of the Tails Operating System has been hacked and it appears that a 17-year old hacker breached and defaced it.

Tails is a Linux-based highly secure Operating System, specially designed and optimized to preserve users’ anonymity and privacy. Hacker, who named himself “Sum guy“, somehow managed to access the website as administrator and edited the homepage content with the following message:

You has been haxoredeszed by sum dumb 17 year old by accident… Sorry about that please forgive me! I accidentally logged myself in as someone important and changed the site, not knowing that what I was changing would save! So sorry about that… I hope you have a backup, Oh and btw I love your OS! Yours sincerely, Sum guy
And before I leave,
Hi ed…
and zoin

Defaced Link: http://ift.tt/RyXrAn. However, all other pages on the Tails website are working just fine, but at this moment it is not clear whether the hacker has also modified the OS Image or not. So readers are advised to do not download the Tails OS from the website, at least for a few days.

Tails, also known as ‘Amnesiac Incognito Live System‘, is free software based on Debian GNU/Linux and you install it on a DVD or USB drive, boot up the computer from the drive. This allows you to work on a sensitive file on any computer and prevent the data being recovered after the computer is turned off.

Tails was reportedly used by the NSA Whistle-blower Edward Snowden in discussions with journalists because it includes a range of tools for protecting your data by means of strong encryption.

I will update the story after receiving more details on this hack. Stay Tuned.

via The Hacker News http://ift.tt/1x1clUb

Oh MY God! Is Tracy Morgan Really Dead? NO, Thankfully it’s only a hoax, but scammers announced the popular comedian and actor Tracy Morgan dead.

Another Facebook scam is circulating across the social networking website just a day before the former “Saturday Night Live” and “30 Rock” star Tracy Morgan was critically hurt in a six-vehicle fatal accident on the New Jersey Turnpike that killed his friend and writer 62-year-old James McNair.

With the rise in various scams on the popular social networking giant, Facebook that has more than one billion active users, it became very clear that not only does the social networking platform provide special opportunities for people to connect and share information, but serves as a great platform for scammers as well.

TOTAL SCAM LEADS TO MALWARE

Scammers spare no incident to target as many victims as possible, and this time they made use of this roadway accident to target users by spreading the fake Facebook videos proclaiming the death of Tracy Morgan.

Malwarebytes warned about the Morgan video scam, saying that the fake video tricks users into sharing it that are spreading throughout the social network, with the Title, “[Death Video] R.I.P. Tracy Morgan died few minutes ago in hospital.”

Once clicked, users are directed to share the fake videos and along with the video sharing, the spam leads users to download a file, which could be anything from a Potentially Unwanted Program (PUP) to a malicious software that could steal users’ sensitive or financial information from the infected system.

TRACY MORGAN DEAD? RUMORS REACHED TWITTER AS WELL

In response to this false news, people began tweeting that Tracy had passed away on June 10. The fake news spread like fire on the internet. Following are the tweets by his Fans:

JUST IGNORE IT

“Pay no attention to scammy and sensational sounding videos appearing on your Facebook feed and stick to trusted news sources for breaking stories and information,” warned Malwarebytes. “Surveys are always a pain, but scam sites offering up random redirects always carry the potential to be even more problematic – you simply never know where you’re going to end up.”

We have seen various suspicious posts on Facebook, like “See your Friend’s naked video“, an app offering you a chance to see who has viewed your Facebook profile, and many more. Sometimes these scams are very obvious and easily avoidable, but many times they are irresistible and easy to fall for, like this new fake video scam.

SCAMS AT RISE, SO BE SAFE

With more tech skills, modern scammers have ability to reach billions of potential victims with just a single message or post, and their scams are getting more dangerous and critical day-by-day. Despite Facebook’s security measures, safe and secured social networking rests in your own hands and if you aren’t paying attention to such scams, you could fall for one such even without ever realizing.

So, if you are served with any suspicious link or post, do not try to click on it, no matter even if it’s from your closest friend.

via The Hacker News http://ift.tt/1vgAsLJ

The hike in the banking malware this year is no doubt almost double compared to the previous one, and so in the techniques of malware authors.
Until now, we have seen banking Trojans affecting the infected device and steal users’ financial credentials in order to run them out of their money. But nowadays, malware authors are adopting more sophisticated techniques in an effort to target as many victims as they can.

BANKING MALWARE WITH NETWORK SNIFFING

Security researchers from the Anti-virus firm Trend Micro have discovered a new variant of banking malware that not only steal the users’ information from the device it has infected but, has ability to “sniff” network activity to steal sensitive information of other network users as well.

The banking malware, dubbed as EMOTET spreads rapidly through spammed emails that masquerade itself as a bank transfers and shipping invoices. The spammed email comes along with a link that users easily click, considering that the emails refer to financial transactions.

Once clicked, the malware get installed into users’ system that further downloads its component files, including a configuration and .DLL file. The configuration files contains information about the banks targeted by the malware, whereas the .DLL file is responsible for intercepting and logging outgoing network traffic.

The .DLL file is injected to all processes of the system, including web browser and then “this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file, wrote Joie Salvio, security researcher at Trend Micro. “If strings match, the malware assembles the information by getting the URL accessed and the data sent.”

ENCRYPTED STOLEN DATA

Meanwhile, the malware stores stolen data in the separate entries after been encrypted, which means the malware can steal and save any information the attacker wants.

“The decision to storing files and data in registry entries could be seen as a method of evasion“, Salvio said. “Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.”

HTTPS CONNECTIONS KICKED

Moreover, the malware also has capability to even bypass the secure HTTPs connection which poses more danger to users’ personal information and banking credentials, as users will feel free to continue their online banking without even realizing that their information is being stolen.

“[It has] capability to hook to the following Network APIs to monitor network traffic: PR_OpenTcpSocket PR_Write PR_Close PR_GetNameForIndentity Closesocket Connect Send WsaSend”

This kind of financial threat is really dangerous for the people, because previous banking malwares often rely on form field insertion or phishing pages to steal users’ financial information, but the use of network sniffing in the malware, makes the threat even more harder for users to detect any suspicious activity as no changes are visibly seen, said the researcher.

Researchers are still investigating that how the gathered stolen data the malware sniffs from the network is being sent to the attacker.

MALWARE DISTRIBUTION OVER WORLD MAP

The malware infection is not targeted to any specific region or country but, EMOTET malware family is largely infecting the users of EMEA region, i.e. Europe, the Middle East and Africa, with Germany on the top of the affected countries.

Users are advised to do not open or click on links and attachments provided in any suspicious email, but if the message is from your banking institution and of concern to you, then confirm it twice before proceeding.

via The Hacker News http://ift.tt/1vgr0bg

A 20 year old critical subtle integer overflow vulnerability has been discovered in Lempel-Ziv-Oberhumer (LZO), which is an extremely efficient data compression algorithm that focuses on decompression speed, almost five times faster than zlib and bzip compression algorithms.

Lempel-Ziv-Oberhumer (LZO) was developed in 1994 by Markus Oberhumer and currently it is one of the most popular and widespread compression algorithm used in the Linux kernel, some Samsung Android mobile devices, several open-source libraries including OpenVPN, MPlayer2, Libav, FFmpeg and other embedded devices.

20 YEAR OLD VULNERABILITY IN LZO ALGORITHM

Don A. Bailey, founder and CEO of Lab Mouse Security, who disclosed the technical details of the buffer overrun vulnerability in LZO/LZ4 algorithm, explains that if an attacker could carefully craft a piece of compressed data that would run malicious code when the software attempted to decompress it.

According to advisory, if buffers of 16MB or more can be passed to LZO/LZ4, then exploitation is possible and under limited circumstances the vulnerability in the algorithm could also trigger buffer overflows, denial of service and remote code execution (RCE).

“As this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (2^24 bytes) compressed bytes within a single function call the practical implications are limited.”

LZO FLAW WENT TO PLANET MARS

Lempel-Ziv-Oberhumer (LZO) algorithm is also used in some car and aircraft systems, as well as NASA’s Rover, Curiosity, which is right now on planet Mars and completed its first year on the Mars in this week only.

“The scope of this algorithm touches everything from embedded micro controllers on the Mars Rover, mainframe operating systems, modern day desktops, and mobile phones.” Bailey wrote in a blog post.

However, he denied from the practical exploitation of Curiosity Rover by any hacker, “NASA accepted the bug reports. I doubt it is vulnerable to an attacker. The Rover is so compartmentalized within NASA it would be hard to get to, and even harder to push a malicious payload to it. I doubt you could send it enough data to trigger the bug,” Bailey explained.

Multimedia applications such as MPlayer2, libav and FFmpeg are potentially affected by the discovered vulnerability and it could be used to execute code remotely. “If you’re viewing a video, a malicious video will execute a shell on your computer, so you could get code execution by playing a video.” Bailey warned.

GOOD NEWS, ANY TOM, DICK OR HARRY CAN’T WRITE EXPLOITS

The LZO vulnerability is significant and even exists in kernels for Samsung Android devices to increase kernel loading speed. However, each implementation and architecture is using modified versions of LZO, so a potential attacker should have to build custom malicious payloads for each implementation and this limits the overall severity of the flaw.

CVE-ID’s

• CVE-2014-4607 – LZO code
• CVE-2014-4608 (LZO) – Kernel code
• CVE-2014-4609 – Libav
• CVE-2014-4610 – FFmpeg
• CVE-2014-4611 (LZ4) – Kernel code

SECURITY PATCH

LZO has finally been patched in latest LZO version 2.07, Linux kernel version 3.15.2 and various open-source media libraries including, FFmpeg and libav have also released latest patched version.

via The Hacker News http://ift.tt/1qPPKtb

A critical code-execution vulnerability almost affecting everyone those are not running the most updated version of Google Android, i.e. Android version 4.4 also known as KitKat.
After nine months of vulnerability disclosure to the Android security team, researchers of the Application Security team at IBM have finally revealed all the possible details of a serious code-execution vulnerability that still affects the Android devices running versions 4.3 and earlier, which could allow attackers to exfiltrate sensitive information from the vulnerable devices.

“Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure,” said Roee Hay, a security research group leader at IBM.

The researchers found the stack buffer overflow vulnerability that resides in the Android’s KeyStore storage service, which according to the Android developers’ website is the service code running in Android responsible for storing and securing device’s cryptographic keys.

CAUSE OF THE CRITICAL FLAW

According to the researchers, the vulnerability occurred due the absent bounds check for a stack buffer created by the “KeyStore::getKeyForName” method.

“This function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’). Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application,” Hay said. “The ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.”

ANDROID VULNERABILITY IMPACT

While IBM’s researchers haven’t seen this vulnerability being exploited in the wild yet. But if successfully exploited, would compromise a device completely allowing an attacker to execute malicious code of their choice under the keystore process.

Consequently, the attacker could gain access to the device’s sensitive information such as device’s lock-screen credentials, encrypted and decrypted master keys, data and hardware-backed key identifiers from the memory, as well as the ability to carry out cryptographic operations such as arbitrary signing of data on behalf of the users.

ATTACK VECTOR

While this could be accomplished only with the use of a malicious application, but there are a number of obstacles for the working exploit to overcome.

That means, a malicious application must have ability to bypass memory-based protections native to the operating system including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

DEP is an exploit mitigation that limits where code can be executed and helps prevent certain malicious exploits, but the attackers have had success using shellcode or Return Oriented Programming (ROP) attacks in order to bypass DEP.

While, ASLR specifically reduces buffer overflow attacks that exploit vulnerabilities like the one elaborated in this article. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process.

An attacker would also need to overcome the stack canaries present in Android, which is used to detect stack buffer overflow bugs such as this one before execution of malicious code can occur. Moreover, Android also makes use of encoding, which is also an obstacle for the attacker to overcome.

“However, the Android KeyStore is respawned every time it terminates,” Hay cautions. “This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding.”

LATEST UPDATE – ANDROID 4.4.4

Currently Google is rolling out Android KitKat 4.4.4 with build number KTU84P (branch kitkat-mr2.1-release) to several Nexus devices, including Nexus 4, 5, 7, and 10. Latest update primarily addresses the OpenSSL CCS Injection Vulnerability (CVE-2014-0224), which was discovered in OpenSSL after the Heartbleed bug was uncovered.

So if you haven’t updated your OS, this might be a good time to do it. Users can check to see if the update is available for their device by accessing Settings > About Phone > System Updates.

via The Hacker News http://ift.tt/1lkbLII

This FIFA World Cup, the security has been really going well and yet no calamitous incident reported so far, other than the security company who is responsible to keep an eye on the event’s security, itself tweeted a photograph of their state-of-the-art monitoring centre that exposed the World Cup security centre’s internal Wi-Fi password to the whole world.

Israel-based security firm RISCO is providing security management at the soccer stadium and very proud of their incredible work in securing this year’s World Cup, which includes monitoring and maintaining hundreds of CCTV security cameras all over the 41,000-seat Arena Pantanal football stadium in Cuiaba, Brazil.

The image was originally published by news outlet Correio Braziliense, that showed the Federal Police’s head of international co-operation Luiz Cravo Dorea, standing in the mulch-million-dollar security center overseen by Israeli company RISCO and was watching Live video feeds from surveillance cameras.

The image was posted on Twitter and has been re-tweeted almost 3,000 times.

The World Cup security centre allows security personnel to view live feeds from various cameras around the World Cup stadiums. But, inadvertently it exposed Wi-Fi SSID and password in the background of the pic on the big screen that anyone can read with a squint of the eye. It reads :

Wifi Network: WORLDCUP
Password: b5a2112014

The password appears to be “brazil2014” in leet speak. I think it’s completely unguessable and the most secure one for this highly considered World Cup event.

This accidentally leaked Wi-Fi Credentials from the Security Centre of the biggest game on the Earth could have given cybercriminals opportunity to carry out man-in-the-middle attacks to break into their network and compromise the systems.

But, definitely after media updates, they would have realized their mistake and updated the WiFi SSID and password for the football World Cup’s security center secretly.

via The Hacker News http://ift.tt/1nIlueQ

Security researchers have uncovered a new Stuxnet like malware, named as “Havex”, which was used in a number of previous cyber attacks against organizations in the energy sector.

Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even shut down extensive swaths of a country’s power grid all with the swipe of a single keystroke.

According to security firm F-Secure who first discovered it as Backdoor:W32/Havex.A., it is a generic remote access Trojan (RAT), has recently been used to carry out industrial espionage against a number of companies in Europe that use or develop industrial applications and machines.

SMARTY PANTS, TROJANIZED INSTALLERS

To accomplish this, besides traditional infection methods such as exploit kits and spam emails, cybercriminals also used an another effective method to spread Havex RAT, i.e. hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.

During installation, the trojanized software setup drops a file called “mbcheck.dll“, which is actually Havex malware operators use as a backdoor for the attacker. “The C&C server will [then] instruct infected computers to download and execute further components,”

“We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.” F-Secure said.

F-Secure did not name the affected vendors, but an industrial machine producer and two educational organizations in France, with companies in Germany also hit.

INFORMATION GATHERING

Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information by leveraging the OPC (Open Platform Communications) standard.

OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware. The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server.

Other than this, it also include information-harvesting tools that gather data from the infected systems, such as:

• Operating system related information
• A Credential-harvesting tool that stole passwords stored on open web browsers
• A component that communicates to different Command-&-Control servers using custom protocols and execute tertiary payloads in memory.

“So far, we have not seen any payloads that attempt to control the connected hardware.” F-secure confirmed.

MOTIVATION?

While their motivation is unclear at this point, “We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations.” F-Secure noticed.

HAVEX TROJAN FROM RUSSIANS ?

In January this year, Cybersecurity firm CrowdStrike revealed about a cyber espionage campaign, dubbed “Energetic Bear,” where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States and Asia.

According to CrowdStrike, the Malwares used in those cyber attacks were HAVEX RAT and SYSMain RAT, and possibly HAVEX RAT is itself a newer version of the SYSMain RAT, and both tools have been operated by the attackers since at least 2011.

That means, It is possible that Havex RAT could be somehow linked to Russian hackers or state-sponsored by Russian Government.

via The Hacker News http://ift.tt/1mxGnLT

Yesterday we learned of a critical Zero-day vulnerability in a popular image resizing library called TimThumb, which is used in thousands WordPress themes and plugins.

WordPress is a free and open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs, therefore it is easy to setup and use, that’s why tens of millions of websites across the world opt it.

But if you or your company are the one using the popular image resizing library called “TimThumb” to resize large images into usable thumbnails that you can display on your site, then you make sure to update the file with the upcoming latest version and remember to check the TimThumb site regularly for the patched update.

0-Day REMOTE CODE EXECUTION & NO PATCH

The critical vulnerability discovered by Pichaya Morimoto in the TimThumb WordPress plugin version 2.8.13, resides in its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website.

The vulnerability allows an attacker to remotely execute arbitrary PHP code on the affected website. Once the PHP code has been executed, the website can be easily compromised in the way the attacker wants. Until now, there is no patch available for the flaw.

“With a simple command, an attacker can create, remove and modify any files on your server,” says Security experts at Sucuri break in a blog post.

Using the following command, a hacker can create, delete and modify any files on your server:

http://ift.tt/Vq78rL

http://ift.tt/1ryonRS

WHO ARE VULNERABLE

Unfortunately, there are hundreds of other WordPress plugins and themes, those are using TimThumb library by default. Some of theme are:

1.) TimThumb 2.8.13 WordPress plugin
1.) WordThumb 1.07 is also using same vulnerable WebShot code.
2.) WordPress Gallery Plugin
3.) IGIT Posts Slider Widget

4.) All WordPress themes from Themify contains vulnerable wordthumb at “/themify/img.php” location.

The good news is that Timthumb comes with the webshot option disabled by default, so only those Timthumb installations are vulnerable to the flaw who have manually enabled the webshot feature.

CHECK AND DISABLE TIMTHUMB “WEBSHOT”

1. Open timthumb file inside your theme or plugin directory, usually located at “/wp-content/themes//path/to/timthumb.php“
2. Search for “WEBSHOT_ENABLED”
3. If the you find define (‘WEBSHOT_ENABLED’, true) , then set the value to “false”, i.e. define (‘WEBSHOT_ENABLED’, false)

Unfortunately, similar multiple security flaws were discovered in TimThumb in the past, leaving millions of WordPress powered websites vulnerable to attack.

via The Hacker News http://ift.tt/1qxQ1yu