Software patch dilemma: Crucial to keep it up-to-date, but it’s also risky
It’s a longtime cybersecurity mantra: Keep your software up-to-date. But that sometimes collides with a just-as-longtime cybersecurity reality: Updating software components is not always easy, safe, or even possible.
And among thousands of examples of both is the recent disclosure of significant vulnerabilities in the popular web content management system WordPress.
One, in a plugin called Essential Addons for Elementor, could allow an attacker to gain elevated privileges on sites that are using it. Another, in the WordPress Advanced Custom Fields plugin, could allow a cross-site scripting (XSS) attack. XSS can allow hackers to deface websites, compromise user accounts, and run malicious code on web pages, which can allow them to compromise a user’s device.
The National Vulnerability Database (NVD) has tracked the first vulnerability as CVE-2023–32243 and as of last week hadn’t given it a severity rating. But Patchstack, a tool to flag vulnerabilities in WordPress apps and plugins and also a CVE numbering authority, gave it a severity level of 9.8 out of 10, or critical. There are more than a million users of that plugin.
The Advanced Custom Fields plugin is tracked as CVE-2023–30777 and also hasn’t received a severity rating from the NVD, but Patchstack gave it a 7.1, or high. There are an estimated 1.4 million websites using it.
It’s not picking on WordPress to point these out — users need to know about them. Indeed, WordPress has apparently been a target of choice for hackers for months. The Hacker News reported that there has been “a new wave of attacks targeting WordPress sites since late March 2023 aiming to inject the infamous SocGholish (aka FakeUpdates) malware [that] has been distributed via drive-by downloads masquerading as a web browser update.”
But it’s also worth pointing out that the company is no outlier. Virtually every organization in the modern world has had or will have one or more serious vulnerabilities in its software products. There were more than 25,000 discovered in 2022. That will continue and almost certainly increase because more software is being created every day, and it is never perfect — it’s made by imperfect humans after all.
Installation required
The good news in the WordPress cases is that there are patches available for both vulnerabilities. Version 5.7.2 of Essential Addons was shipped May 11, a day before the public disclosure, and version 6.1.6 of Advanced Custom Fields was shipped May 4, two days after Patchstack discovered the vulnerability. But to benefit from them, you have to install them.
Which takes us back to that mantra: It’s important to keep your software up-to-date. Software is omnipresent today — you may have heard a dozen years ago that software is eating the world. It runs businesses and enables innovation. But software that is not secure can put your business, your personal information, your finances, and more at risk. Which is exactly the case here.
And as everybody who uses software ought to know, most patches and updates don’t install themselves. In some cases vendors provide an autoupdate feature, and most commercial software vendors “push” updates out to users. But WordPress is built with open source software, which means users first have to be aware of what software components (like plugins) they’re using, keep track of any discovered vulnerabilities in those components, and then “pull” updates from the vendor as soon as they are available.
As painful history has shown, that doesn’t always happen. Thousands of organizations fail to apply available patches to vulnerabilities in their software supply chains. The most recent annual “Open Source Security and Risk Analysis”(OSSRA) report by Synopsys, in an analysis of more than 1,700 codebases, found that 89% had open source software components that were more than four years out-of-date, and 48% included high-risk vulnerabilities.
The danger from unpatched vulnerabilities is real. Patchstack, along with disclosing the vulnerability in Advanced Custom Fields, released a proof-of-concept (PoC) exploit of it. And while that came after the 6.1.6 update had been released, the Akamai Security Intelligence Group reported almost immediately that attackers had begun trying to exploit the vulnerability using the code from the Patchstack PoC.
Much the same has happened with Essential Addons — Bleeping Computer reported late last week that researchers had published a PoC exploit for that plugin on May 14, generating millions of probes attempting to find the plugin on websites according to security plugin vendor Wordfence, which reported that at least 6,900 exploitation attempts had been blocked.
Reality of risks
But all that also takes us back to the reality that updating can come with risks as well. Updating components in a platform like WordPress isn’t like tapping an icon on your phone, waiting a few seconds and it’s done.
Tim Mackey, head of software supply chain risk strategy within the Synopsys Software Integrity Group, has said more than once in the past that, “every piece of software has unique functionality, and every update changes that functionality in some important way.”
“Simply replacing one version of a component with another in an application that was never tested with the changed version creates a scenario where the application could misbehave simply because the assumptions the application developers made aren’t true any longer.”
Jamie Boote, senior consultant with the Synopsys Software Integrity Group, is also well aware of the dilemma. “Not upgrading is a security risk, but upgrading can break things that are already working,” he said.
“Both are problems that can threaten a WordPress site’s uptime. When WordPress upgrades major versions or changes functionality, often plugins might stop working. I personally have had a couple of WordPress sites stop functioning according to their intended use cases after either WordPress updated or a plugin changed in an update,” he said.
Beyond that, sometimes installing an update isn’t even possible. This past December, a year after the disclosure of the notorious Log4Shell vulnerability in the Apache Software Foundation’s Log4j logging library, a majority of Log4j users still hadn’t installed an update that fixed the vulnerability.
Kurt Seifried, chief innovation officer at the Cloud Security Alliance, said at the time that “a lot of the people not patching are running some old app using Log4j that can’t be updated.”
Don’t be careless
What to do? In the majority of cases, the answer remains to update if possible, but do it carefully — very carefully.
Boote said the first thing to do when bringing new software into a production stack, such as a WordPress plugin, is to make sure it’s not bringing vulnerabilities with it.
“It’s important to do due diligence to ensure that adding new functionality doesn’t come bundled with known vulnerabilities. A quick check of the NVD should be enough to see if there are any nasty vulnerabilities hiding in the code you’re bringing in,” he said.
In the case of Log4j, “that was a new vulnerability in an old library,” he said. “Vetting Log4j for vulnerabilities prior to the discovery of the vulnerability obviously wouldn’t have caught it, but after it was it was vitally important to find vulnerable instances. This means that the other half of checking for library vulnerabilities means checking for vulnerabilities in existing codebases and libraries.”
And the best way to know what’s in existing codebases and libraries? As has been said much more frequently in the past couple of years, especially since President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, software products should come with a software Bill of Materials (SBOM) — a list of every component they contain.
Not only does an SBOM help an organization know if it’s using a component that has a newly discovered vulnerability, it can also help organizations know what’s in the products they’re buying.
“The way a library gets from the software developer to your environment could be fraught with risk,” Boote said. “This is where integrity information contained in SBOMs can help. Using the software signatures and metadata they contain can provide the consumer of that software with confidence that the set of bits they are about to install is a perfect one-to-one match to the set of bits the distributor intended.”
“This can mitigate threats from typo squatting, where attackers clone a public library, insert malicious code, and give it a title similar to the official repository,” he said.
That suggests a corollary to another software security mantra: “You can’t protect what you don’t know you have.” You also don’t want to buy something if you don’t know everything that’s in it.
“Automatic updates are a great way to keep everything up-to-date, but they can represent a minor uptime and functionality risk in and of themselves,” Boote said. “For more critical systems where uptime loss is money loss, it’s important to have an update strategy and vetting system in place to ensure that the software is running the latest and greatest versions for security purposes but doesn’t suffer a self-inflicted denial-of-service.”
So, you have been warned. “Keep your software up-to-date” is still a worthy mantra. But it comes with a caveat. Don’t let your efforts to make things better make them worse.
