Researchers found a third of the top WordPress e-commerce plugins contain severe vulnerabilities tied to XSS cross-site scripting, SQL injection and file manipulation flaws.
Threatpost | The first stop for security news
The Eclipse Foundation, the organization that oversees development of the Eclipse development environment, has a new member: Microsoft announced Tuesday that it is joining so that it can more easily collaborate with the Eclipse community.
Simultaneous with that move, the company open sourced its Team Explorer Everywhere plugin for Eclipse, which allows Eclipse users to use Team Foundation Server for their version control and bug tracking. The code is now up on GitHub. The Team Explorer Everywhere plugin joins the Azure Toolkit for Eclipse, which is already open source.
To further streamline integration with Microsoft’s services for Eclipse users, there is new support for Codenvy in Visual Studio Team Services. With the Codenvy extension, VSTS can generate an Eclipse workspace on demand, quickly setting up a virtual machine with all the right plugins and build tools to work on a project. Codenvy VMs can also now be provisioned on Azure thanks to a new Codenvy VM in the Azure Marketplace.
Binary browser plugins using the 1990s-era NPAPI (“Netscape Plugin API”, the very name betraying its age) will soon be almost completely squeezed off the Web. Microsoft dropped NPAPI support in Internet Explorer 5.5, and its Edge browser in Windows 10 also drops support for ActiveX plugins. Google’s Chrome started phasing out NPAPI support in April this year and dropped it entirely in September.
Now it’s Firefox’s turn. Netscape’s open source descendent will be removing NPAPI plugin support by the end of 2016. Some variants of the browser, such as 64-bit Firefox for Windows, already lack this plugin support.
Mozilla’s plans resemble Microsoft’s and Google’s in more than one way. There’s one plugin that traditionally used NPAPI that’s special: Flash. Chrome and Edge both embed and update their own versions of the Flash plugin, and even after 2016, Firefox will continue to support Flash. Though the scope and capabilities of HTML5 have continued to grow, Flash remains a significant part of the Web, especially for interactive content such as games. Many of these uses are declining, but support for Adobe’s technology will still be a practical necessity in a general purpose browser at the end of 2016.
This month’s Patch Tuesday update for Internet Explorer will include a new feature: it will block out-of-date ActiveX controls.
More specifically, it will block out-of-date versions of the Java plugin. Although Microsoft is describing the feature as an ActiveX block, the list of prohibited plugins is currently Java-centric. Stale versions of Flash and Silverlight will be able to stick around, at least for now, though Microsoft says that other out-of-date ActiveX controls will be added to the block list later.
Old, buggy versions of the Java plugin have long been used as an exploit vector, with Microsoft’s own security report fingering Java in 84.6 to 98.5 percent of detected exploit kits (bundles of malware sold commercially). Blocking obsolete Java plugins should therefore go a long way toward securing end-user systems.
Read 1 remaining paragraphs | Comments