29 Nov 2017

Sucuri Only Became Aware of Exploitation of WordPress Plugins Weeks After Public Disclosure of That Exploitation

One of the problems we find in being part of the web security industry is that the public often believes that companies that don’t seem to know and or care much about security are actually leading on things. As example of the difference between reality and that belief let’s look at something recently from Sucuri, which is one of the best known companies (though also one that has trouble doing the basics of what they offer and is engaged in rather shady practices).

Currently on their homepage you will find a testimonial that reads in part:

Another thing we like is that Sucuri knows about security issues before they become a problem – in advance.

That is very different from the reality of the exploitation a couple of recently fixed vulnerabilities in WordPress plugins (and plenty of other examples we can think of from just our cursory knowledge of Sucuri).

Back on November 7 Robert Mathews disclosed that he had discovered a vulnerability as it was being exploited in the plugin Shortcodes Ultimate and that he had then seen attempts to exploit it through another vulnerability that was in the plugin Formidable Forms. That vulnerability in Shortcodes Ultimate was fixed on October 31.

On November 9 we put out a post on the details of the vulnerability in Formidable Forms as there had not been any publicly disclosed information put out on it. That vulnerability had been fixed on October 25. The discoverer of that vulnerability, Klikki Oy, released a report on it on November 13.

Also on November 9 we added both vulnerabilities to the free data that comes with our service’s companion plugin (as we do for any vulnerabilities that hackers appear to be exploiting), so even for websites that are not using our service they could be warned if they were still using a vulnerable version of the plugins.

Despite all of that, Sucuri only became aware of the exploitation of those vulnerabilities on November 20:

On Monday, November 20th, we were notified about a vulnerability that poses a serious security risk when the Shortcodes Ultimate and Formidable Forms plugins are used together on a single WordPress installation.

Even when they belated became aware of this someone else was notifying them, which reminds of the time Wordfence only became aware of a vulnerability that was publicly disclosed and looked to be being widely exploited, when someone notified them of us discussing the issue. How people can think companies like these are leaders in the face of things like that is amazing.

It wasn’t until four days later that they released their post.

Just like we discussed with Wordfence recently with one of these vulnerabilities, these security companies don’t present the obvious lesson for the public from these situations, which is you should be keeping your plugins up to date at all times, which can be done with things like our Automatic Plugin Updates plugin. Instead they are telling people only to update this plugins after they belated become aware of the issues. Here is Sucuri’s recommendation:

Update Now

As you can see, attackers are actively looking for this issue in the wild. If you’re using a vulnerable version of these plugins, we highly recommend that you update them now!

In the event where you cannot do this, we strongly recommend leveraging the Sucuri Firewall or equivalent technology to get it patched virtually.

The second part of the recommendation is problematic for a number reasons, including that Sucuri’s firewall can often easily be completely bypassed (which they are aware of), they only belated became aware of these vulnerabilities and therefore couldn’t have added virtual patching for them till long after they started being exploited, and there isn’t evidence presented by them, much less evidence based on independent testing, that their firewall is actually effective in protecting against vulnerabilities (just a month and a half ago it was found that it was susceptible to a fairly basic bypass technique).

So why not tell people that they should be keeping their plugins up to date? Well it could that they don’t understand that this important (both of those companies don’t understand other basics basics of security). It could be that they would rather people not to do best practices that likely would provide much better protection that their services (it certainly looks like it would have here). It also could be that would get in the way of trying to get people to share their blog posts, since if everyone was keeping plugins up to date it would lot less important to tell people to update certain plugins.

A Service That Protects

If for some reason you are not able to keep your plugins up to date in general, which is claimed to be something common in academia, our service would probably provide you much better protection than security services since we actually keep up on vulnerabilities in WordPress plugins and warned our customers weeks before Sucuri mentioned these vulnerabilities.

Our focus though isn’t in just warning people about vulnerabilities after they are discovered by others as was the case with these vulnerabilities, but being proactive in finding and fixing plugin vulnerabilities, which is something if we had more customers we could be do a lot more than we already do (which is already much more than Sucuri or Wordfence seem to be doing). We do that through things like our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities, security reviews of plugins suggested/voted for by our customers, our new tool for helping to identify possible vulnerabilities in plugins in an automated fashion.

We think we could make things even better if we were not dealing with a situation where the people of the WordPress side of things are intentionally blocking improvements to security and denying the reality of the problems that exist.

Leave a Reply

Your email address will not be published.