With Autoptimize 2.7.7 released on August the 23rd and having been pushed to all sites that were still on 2.7.0-2.7.6 by the WordPress plugins team on Aug. 30th and 31th, resulting in just under one million downloads in 8 days time, it is now the moment for a small debrief of the security issues that … Read more
Autoptimize 2.7.7, which was release earlier today, has misc. improvements, but more importantly comes with 2 security fixes (one XSS, one malicious file upload, both for authenticated users), so please upgrade sooner rather then later.
[Updated 23/06 to reflect newer versions 2.1.2 and 2.2.1] Heads-up: Autoptimize 2.2 has just been released with a slew of new features (see changelog) and an important security-fix. Do upgrade as soon as possible. If you prefer not to upgrade to 2.2 (because you prefer the stability of 2.1.0), you can instead download 2.1.2, which … Read more
A couple of days ago I had another look at Content Security Policy, a technology that allows a site to tell a browser resources are allowed to be loaded to protect against XSS and some other types of web application vulnerabilities. CSP was originally devised by the Firefoxians, but is in the process of being standardized … Read more
Just a couple of small updates on previous stories to keep you posted really. We’ll start of with Ubuntu Natty Narwhal; beta 2 has been released earlier today. I’ve downloaded a lot of updated packages over the last few days, so I guess I’m on the second beta as well. The Unity launcher now comes … Read more
A few weeks ago I received the following in a mail from Google; As a small token of appreciation for helping keep Google’s users safe and secure, we’d like to credit you on our website. And indeed, yesterday my name was added to the “Honorable Mention” paragraph on Google’s Security Hall of Fame. I don’t consider … Read more
I just received confirmation from the Google Security Team that the bug I discovered in the iGoogle Facebook Gadget which allowed attackers to log into an other user’s Facebook account bypassing all authentication, has been fixed. So now that the hole has been closed, let’s look at what was happening, shall we? The gadget uses … Read more
When I proposed the lead developer of an open source web application to enable JSONP for the API, the developer replied: The whole thing sounds easy enough to implement, but I have some doubts that it will open the project to XSS attack of some sort. Don’t really know why, though. 🙂 We mailed a … Read more
Being “the computer guy” in the family might be a pain in the ass sometimes, but trying to help out users that are not tech savvy can be very revealing. Yesterday my father-in-law asked me to take a look at his computer, there was something about the browser that was not right. Turned out he … Read more
With a notoriously bad reputation for security (or the lack thereof) in Internet Explorer, Microsoft claims to have invested a lot in IE8 security in general and specifically in browser enforced website security. Indeed, according to the product site, IE8: […] helps protect you from today’s threats, including malware and phishing, as well as emerging … Read more