Welcome to the Patchstack Weekly Security Update, Episode 64! This update is for week 13 of 2023.
This week’s news is about understanding security bug severity, and how not all security bugs are equal. Some can wait for a patch, but others may need immediate attention. You can save yourself a lot of headaches when you learn how to differentiate.
I will then discuss one security bug which is an actual emergency, in this week’s vulnerability roundup.
Everyone running any software has performed an update. From your cell phone to your desktop, and even your websites. Everyone knows that updates are important and need to be performed. Luckily the process is normally nothing more than a click of a button away.
But, when should you click that update button? Should you update immediately every time, stopping your work and waiting for the update to complete or can you wait until a more convenient time?
The common assumption is some updates can wait, but, when it comes to security updates you should take action right away. But, not all security updates are equal, some require immediate action, while others can wait.
How can you tell the difference? Pay attention to the severity of security bug patches, because not all security vulnerabilities carry equal risk.
In 2022, 87% of the reported security bugs in the WordPress ecosystem would be considered medium or low severity. It is fantastic that these low and medium-security bugs received a patch from the developers, but site owners need not panic, drop everything, and apply those patches.
It is relatively safe to wait, and a good idea to take your time (remembering to backup first) before applying patches for these low or medium-risk bugs.
I do mean relative too. These bugs commonly require an authenticated user to perform the attack or an attacker to trick an authenticated user to perform some action. If you trust your website’s users to not be malicious, or not get duped by attackers, then it is relatively safe. But, if your WordPress website has open registration or your website’s users are not to be trusted, then these medium-risk bugs may pose a more serious risk.
Not all security bugs are low or medium risk though. There are the high-risk bugs (11% of reported bugs in 2022) and the most dangerous critical severity bugs (2%.)
What makes a bug a critical risk? Commonly they require no authentication to perform, which means simply having your website accessible on the internet means it is at risk. And, well, we all have our websites accessible to the internet, that is the whole purpose.
These critical risk bugs (and some high-risk ones) are the security bugs you need to have an emergency action plan for. They are the bugs you should be dropping all other work to address ASAP.
Your plan for these bugs should be the same as any patch update, just performed sooner than later. Back up your site(s) first, then apply the patch. It should not take too long, however, if you do not have the time (or wish to avoid the stress) that is where using security services comes in super handy. These services (like the Patchstack app) can apply virtual patching to buy you the time you need to apply the security update.
Talking about critical risk security bugs, there was one patched this week in a plugin with half a million installations. This security bug patch really does need your immediate attention.
The WooCommerce Payments plugin is the affected plugin. The developers received a report from a security researcher, and with this information, they released the patch to address the critical severity security issue.
This bug was critical because it would allow attackers to make a single unauthenticated request and receive a valid WordPress authentication cookie for any user on the website. This includes administrator users if they know or guess the user’s identification number.
The Woocommerce payments plugins team, worked with the plugins repository team to push an emergency update to all sites running the plugin. This means even sites with auto-update disabled for the plugin, received the update. Based on the severity of this vulnerability, this decision will prevent sites from being hacked.
Within 24 hours of the patch being made available, some security vendors are already reporting that active exploitation is being attempted. Based on my review of the code, this is an easily weaponized attack so this is likely true.
Hopefully, sites have auto-updated faster than the attackers can find their websites, but if you haven’t already, it is strongly recommended you double check your site’s installation of WooCommerce Payments is up to date immediately. It may also be a good idea to rotate your WordPress website’s secret salts. This will invalidate all authentication cookies WordPress has already issued, log out any currently logged-in users, and protect the site in case an attacker has already used the exploit to acquire a valid authentication cookie using this exploit.
You can read more regarding this issue on the Patchstack blog or directly from the developers of the plugin on the WooCommerce Developer blog.
This week’s thanks goes out to the developers of WooCommerce payments plugin and the plugin review team. Their actions to address this serious security bug are critical for securing end user sites from critical security bugs.
A special thank you goes out to the researcher(s) who found the bug. WooCommerce credits Michael Mazzolini of Gold Network for their report, and I personally thank them for reporting this issue responsibly, ethically, and for the good of the user.
I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!