Posted on

WordPress 3.5.2 Security Patch

WordPress 3.5.2 Banner

WordPress had a new patch release today, version 3.5.2 that is available directly from the WordPress servers.    This release has over a dozen security patches.

It is recommended you install this patch release as soon as possible to keep your WordPress security up-to-date.

The official news release is here:

http://wordpress.org/news/2013/06/wordpress-3-5-2/

 

You will find patches to WordPress Core to resolve issues related to:

  • Do not show full file path when upload fails.
  • Checks for XSS (cross-site scripting) attacks.
  • TinyMCE library fix for XSS.
  • Denial of Service (DOS) attack prevention on brute force password cracking.
  • SWFUpload library XSS fix.
  • Stop contributors from improperly publishing posts.
  • Blocking server-side request forgery attacks (SSRF).

You can get more details on these issues and how they were resolved here:

http://codex.wordpress.org/Version_3.5.2

 

Posted on

Threat Modeling: STRIDE & Data Flow diagrams

I’ve learned some very easy and useful techniques for performing threat modeling in order to evaluate and improve a system’s security. This stuff is a mandatory, documented step in developing for the DoD.

I used to be intimidated by trying to analyze the security of a system. No more.

Now that I have a clue about it, and see how relatively approachable the whole subject is, I consider this a vital step of any design process. Right up there with guessing the resources you’ll need, choosing a
platform, programming language, etc. Really – this is super easy. It’s kinda like basic class diagrams, only for security.

Of course, security goes much deeper than these simple tools, just like object oriented design goes deeper than class diagrams. But in each case, the simple tool gets you a heck of a long way.

Just trust me – this is good reading. RREEAAADDD, my geek friends. At least enough to get a solid feel for this. Maybe this is old hat for some of you.

STRIDE / Data Flow Diagram based analysis:
http://msdn.microsoft.com/en-us/magazine/cc163519.aspx

Threat Trees:
http://etutorials.org/Linux+systems/secure+linux-based+servers/Chapter+1.+Threat+Modeling+and+Risk+Management/Section+1.3.+An+Alternative+Attack+Trees/

Richard

This article was posted to The List by Richard and has been reproduced here for general consumption.