Monday, July 9, 2018

[RESOLVED] Apollo Server Status

7:12pm PT: The data center where the Apollo server resides is having "connectivity issues." As soon as they update us we will pass that information onto you.

Thank you for your patience and understanding.

8:33pm PT: The data center's network connectivity issues have been resolved.They were under a massive DOS attack. It has been mostly contained at this time.

Monday, July 2, 2018

WordPress Unpatched Security Vulnerability Discovered in All Versions

There's been a security vulnerability discovered in all versions of WordPress, including the current version, 4.9.6. It requires a privileged user (a subscriber, author, etc) to exploit, but those credentials could be snagged by social engineering. 

This vulnerability was responsibly reported* by the researchers 7 months ago to the WordPress team. This vulnerability remains unpatched, 7 months later.

* "Responsible reporting" is when a security vulnerability is discovered, and rather than going public with it immediately, it is reported to the software Developer(s) so they have a chance to fix it and release a patch.

When a fix isn't done in a reasonable amount of time the researcher often goes public with the security issue, to both warn the public and put pressure on the software Developer(s) to fix it already.

From The Hacker News: "Last week we received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server.

Discovered by researchers at RIPS Technologies GmbH, the "authenticated arbitrary file deletion" vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6.

The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image."

If you subscribe to our WordPress Update Management service you're being contacted for permission to install the hotfix for this issue.