Two weeks ago WordPress 4.7.2 was released, and website administrators running self-hosted versions of the hugely popular CMS and blogging platform were advised to update their systems as a matter of urgency.
What we didn’t know at the time was just how important that WordPress update was.
Last week, WordPress revealed that 4.7.2 had secretly included a fix for an undisclosed critical vulnerability.
If left unpatched, the vulnerability could allow a malicious attacker to modify the content of any post or page on a WordPress site.
The reason the vulnerability wasn’t made public at the time of WordPress 4.7.2’s release was the very real worry that malicious hackers might race to exploit the flaw, attacking millions of blogs and company websites.
In early June 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.
Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.
Steam, an online game platform with more than 125 million active accounts, is in the process of fixing a serious security hole that opens users to hacks that could redirect them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles.
As this post was going live, employees with Valve, the company that develops Steam, were reportedly in the process of fixing the bug. Unconfirmed posts such as this one reported that the cross-site scripting hole had been patched on the initial activity feed pages but not on subsequent pages. Valve representatives didn't respond to e-mails seeking comment for this post.
This week, Vizio, which makes popular, high-quality, affordable TV sets, agreed to pay a $2.2 million fine to the FTC. As it turns out, those same TVs were also busily tracking what their owners were watching, and shuttling that data back to the company’s servers, where it would be sold to eager advertisers.
That’s every bit as gross as it sounds, but Vizio’s offense was one of degree, not of kind. While other smart TV platforms don’t sell your viewing data at the IP level to the highest bidder without consent, like Vizio did, many do track your habits on at least some level. And even the companies that have moved on from ACR—like LG when it embraced webOS—have older models that liberally snoop.
But good news! There are ways to keep your smart TV from the prying eyes of the company that made it. In fact, there’s one absurdly easy way that will work for any television you can buy. Let’s start there.