WordPress 3.3.2 Released

Posted by

Today WordPress developers released a security (minor) update , WordPress 3.3.2 and is now available to upgrade all your WordPress installs.

This new version of wordpress includes security updates for three external libraries:

  • Plupload (version 1.5.4), which WordPress uses for uploading media.
  • SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
  • SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

Also WordPress 3.3.2  address  few other bugs :

Here are a few other bugs addressed in WordPress 3.3.2:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

However, WordPress  developers didn’t mentioned whether this update  was released specifically to deal with the Mac Flashfake/ Flashback Trojan that was spread via infected WordPress blogs.

According to WebSense (via MacWorld UK)  up to 100,000 WordPress sites were infected (85% being in the US)

Some of the sites used to host the attack could have become infected after naïve admins installed a rogue WordPress utility, ToolsPack. This inserted a simple script on the site capable of redirecting vulnerable users to a malware host.

Kaspersky reports that 205,622 Mac users have checked for infection on the flashbackcheck.com website it set up, with 3,624 of these turning out to be infected, a malware rate under 2 percent. The overall infection numbers have declined rapidly since last week.

“Apple is not used to reacting to these kinds of attack,” said Kaspersky researcher, Vincente Diaz.

The company was in the habit of writing its own patches for Java vulnerabilities instead of simply applying those coming from Java overseer, Oracle. In the case of Flashback, this had introduced delays to those patches being applied, he said.

“Mac OS invulnerability is a myth.”

So  make sure you update your WordPress installs as soon as possible.