Welcome to the Patchstack Weekly Security Update, Episode 65! This update is for week 14 of 2023.
This week’s knowledge share is all about how a serious security risk closed source software faces, that open source embraces and turns into one of its strengths.
I will then cover another serious security bug that was patched, but attackers are already attacking. Site owners need to know about this high-severity security bug and need to update their sites if it’s not already too late.
Closed-source software has one vulnerability Open Source software will never face. Source code leaks.
Twitter was affected by a source code leak recently, with portions of its source code found on GitHub.
The LastPass breach also included confirmation attackers were able to exfiltrate some Last Pass source code last summer.
Microsoft had multiple projects’ source code get stolen in 2022 too, this only affected their web and mobile applications like Bing, Maps, and Cortana. Not the operating system.
Even video games’ source code is not safe, with a leak reported by Rockerstar’s famous GTA series.
When a closed-source or proprietary software gets its source code leaked, that can be dangerous. Not only are there security implications of bugs being found, but sometimes close source software includes secret credentials right in the code base (a very bad practice). From a business perspective, there are also stolen intellectual property concerns, this could give competitors an advantage if they review the source code.
Source code leak attacks could negatively affect any software company, every type but one. Open source software companies.
Open source, by it’s very nature gives the source freely to all for review.
Open source takes what is an inherent risk with closed source software, and turns it into a strength. Because, when the code is available for all to see, then security researchers can look for bugs for free.
Of course, someone finding the bug and someone reporting the bug to the project are two separate steps. If someone doesn’t report the security bug to the developer, well, they’re not exactly helping.
This is where services like Patchstack Alliance come in to play. The Alliance incentives researchers, encouraging them to report to our team. The alliance team then works with the developers to professionally inform them of the bug, its impact, and if needed some guidance on a patch.
Users of open source software, be it WordPress, Linux, BSD, Apache, PHP, or many other free open-source software packages out there can be assured, there is no risk when their favorite projects’ source code is made publicly and free. This is the intent of open source and through it, open source turns a risk inherent in closed source into a strong method of security.
In this week’s vulnerability roundup, I will share the details of an actively exploited vulnerability that has already been patched in Elementor Pro.
The developers released a patch to address an authenticated arbitrary option table update bug that only affected the Pro version (e.g. not the free version of Elementor).
The vulnerability was originally reported by NinTechNet and provided a detailed write up. The classification of this vulnerability is an arbitrary option table update risk, something I have commented on in Patchstack Weekly #27: How up Update wp_options Securely.
This vulnerability requires authentication to perform the attack, so it is only a concern for websites that do not trust their users. This includes subscriber and customer user accounts, so e-commerce websites that create user profiles are especially at risk.
Arbitrary option table updates are a unique risk to WordPress sites, but the impact could be that attackers can create new accounts with administrator roles. If your sites are running Elementor Pro, it may be a good idea to check for indicators of compromise (something Patchstack shared details on what to look for on our blog) and double check that no new administrator users have been added to your site.
Like most security bugs, the developers have made a patch available and now it is up to the site owner to apply the patch before their sites get hacked.
Thanks and appreciation
This week’s thanks go out to the developers of Elementor Pro as well as the researchers over at NinTechNet. By working together they were able to address a serious security concern in the pro version of the plugin.
A special thank you goes out to the members of the Patchstack Alliance. Just as with NinTechNet and Elementor, the Alliance works every day to help bridge the gap and eliminate security bugs in open source projects.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!