Consider this proof security doesn’t take a holiday.
Yesterday Automattic announced the release of WordPress 3.0.4, and it is considered both a critical and a mandatory upgrade.
According to the announcement, a security flaw was found in KSES, the system WordPress uses to sanitize the content of posts and other HTML submissions. It would enable an attacker to add code to the WordPress site, possibly enabling it to launch client-side code on those who visit it.
Given the severity of the problem, it’s been advised that all WordPress users update immediately. Those who host their blogs at WordPress.com are updated automatically.
If you are running 3.0.3 or earlier, it is crucial that you update your site today, the process takes only a few seconds and could help keep your site and your visitors much safer.
How to Upgrade
Upgrading your WordPress installation should be simple. If you have a recent version of WordPress, you will be notified via a bar at the top of your administration area.
From there, simply click the “Update Now” link and follow the direction. Your update should complete within a few moments.
If you need to upgrade manually, you can read these instructions on the WordPress.org site and perform it via FTP.
No matter which way you do the update, please make a backup of your database or ensure that you have a recent one at the ready. Though issues with WordPress upgrades are rare, they can happen so it is best to be ready.
All in all, the process should only take a few seconds per site but it is critical that you update all WordPress-based sites that you run. Even having one vulnerable site attacked can cause problems for the others on your server.
The Nature of the Vulnerability
Very little information has been released about the nature of the vulnerability and what it could mean. On that subject, the official announcement only says:
Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”
The Codex entry adds the following:
“Fix XSS vulnerabilities in the KSES library: Don’t be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url().”
Cross-Site Scripting vulnerability, or XSS, are particularly nasty in that they allow others to inject code on your site and, in many cases, add content that can attack other visitors.
It is clear from other reports that the vulnerability fixed in 3.0.4 has already been used, has been seen en masse by some hosts and at least closely mirrors hacks that affected earlier versions of WordPress or may simply be a case of sites not updating WordPress since 2.8.4.
The key symptom of the hack that is circulating is trouble logging into the administration area. However, if your site has been compromised, recovery is difficult at best as the malicious code is included in almost every single page of your site. Simply re-installing WordPress will NOT help.
The best thing you can do, according to experts, is backup your database and start with a totally clean install (hopefully of WordPress 3.0.4).
If you haven’t been hit, this is, most clearly, not an update to miss. It’s a very nasty exploit and it may be spreading fairly quickly. As such, it makes sense to guard yourself now rather than later.
Many, if not most, WordPress security updates don’t have a significant real-world impact. Most deal with very specific situations, often with users who already have limited access to your site, and don’t readily apply to the majority of bloggers. While updates are still advised, they are less than crucial.
However, this update is not one of those. It is a very real, very significant security exploit and one that may already be in use to compromise sites.
In short, if you haven’t installed this update, you need to do so as soon as possible. It may be the holidays, but this particularly nasty vulnerability could very easily wreck your new year.