Welcome to the Patchstack Weekly Security Update, Episode 59! This update is for week 7 of 2023.
This week’s knowledge share will be about virtual patching. I will explain how it works, and how it can save you from a lot of stress and anxiety when it comes to deciding when to update your site’s components.
Then, in this week’s vulnerability roundup, I will share the story of one plugin that patched a lot of security bugs in a single release. A heroic effort by the developer, but end users may receive a lot of alerts if they haven’t updated yet.
Do you need Virtual Patches?
Everyone knows software has updates, but not all updates are equal. Some updates add minimal features, and some updates secure the software, but on rare occasions, some software updates break the thing they’re updating.
This inequality of update importance has led to some site owners either opting out of updates outright, at least until they can monitor that the patch does not break things.
This delay can lead to security patches not being applied in a timely manner. This is where virtual patching comes into play.
What is a Virtual Patch?
Virtual patching is a term used when a software patch can be applied without updating the software itself. Typically using another technology layer like a WAF (Web Application Firewall) on the web server.
It is mostly used in the information security field as a way to secure software temporarily until a time that the software can be patched formally. It acts as a stop-gap when patches are delayed.
This is why Virtual Patching is a valuable tool to have for any WordPress website where updates are not automated. In the event of a security bug being discovered in a plugin or theme, a virtual patch buys you time to perform the update on your schedule.
Virtual Patching is also handy if you encounter a bug in the update process. The extra protection virtual patching provides gives you the option to downgrade back to the known working (but insecure) version of a plugin to work out the problem. Keeping the site online while you troubleshoot.
That is not all virtual patching helps with, it can also be a last line of defense if you are using unpatched or unsupported software.
Protection from unpatched vulnerabilities
It is an unfortunate reality that not all open source projects are actively developed. I have written about this issue before, and even wrote some last patches for WordPress plugins that have been abandoned.
A virtual patch is the only option to secure your website if a vulnerability is identified in an abandoned plugin. The virtual patch will protect the website until you can find the time to find a replacement for the abandoned component that is putting your site at risk.
Of course, Patchstack offers virtual patches for all paid Patchstack app accounts. If you are interested in being in control of how and when patches get applied but do not want to compromise site security, then you should be sure you have virtual patching in place to protect your sites in the meantime.
This week’s vulnerability roundup is all about one plugin, and twenty patched bugs. The plugin is Wicked Folders, the twenty bugs can be classified as either Missing authorization or Cross-Site-Request-Forgery. Both bugs are considered a Medium severity, and may not apply to you at all because they require a subscriber level account or to trick logged in users to follow links.
It appears a researcher familiar with finding these two types of security bugs audited the plugin and found 10 API endpoints that lacked nonce or authorization checks. I am unsure if Wicked Folders paid for an audit or if this was found independently. But it shows someone was looking for as many instances of these bugs as they could find.
The developer did a great job providing the patch back on February 6th and noted in the changelogs that this update includes security patches. Now, it is all up to the users to get their site(s) updated.
If you run a site with Wicked Folders and have not yet updated, you may receive a lot of notifications about this. Twenty notifications to be specific. This is because the CNA requesting CVE numbers reported 2 vulnerabilities for each of the 10 API endpoints that lacked nonce or authorization checks. This may result in a little alert fatigue or a temporary spell of anxiety when you see your inbox full of alerts. Don’t worry though, all twenty of those CVEs are addressed in a single release and none are an emergency. So, update away at your convenience, and be certain the developer for Wicked Folders is attentive to security bugs (even 20 at a time!)
Thanks and appreciation
This week’s thanks goes out to the developer of the Wicked Folders plugin. Thank you for patching all of those AJAX endpoints, and addressing each of those reported bugs.
A special thank you goes out to iThemes. The team announced this week that the iThemes Security and iThemes Security Pro plugins are now powered by Patchstack’s Vulnerability Intelligence. This collaboration means more sites are being protected and is a win for everyone except the botnets.
I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!