WordPress 4.0.1 – Critical Security Release

Image credit: Andy Fitzsimon

WordPress.org states 4.0.1 is a critical security release for all previous versions.  All sites are strongly encouraged to update.  If you have automatic background updates turned on, your site will automatically be updated in the next few hours.  If you do not have automatic updates turned on, Download WordPress 4.0.1 or login to your WP Backend and go to Dashboard ? Updates and simply click “Update Now”.

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbournof the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavkovi?.

New WordPress Theme Vulnerabilities Discovered

Wordfence creator, Mark Maunder, has identified  several themes with either a Cross-site request forgery (CSRF) file upload vulnerability, or an email sender vulnerability.  The exploit of these security hole has been seen in the wild. If you are using any of the  themes listed below,  you should contact the developer immediately to see if there is a patch available. Work with them to determine if your particular version contains the vulnerability and get their advice on what action to take.  If the developers do not respond after a reasonable amount of time, work with your hosting provider or webmaster to determine if you have a vulnerability and what action to take.  Remember that deactivation will not remove the vulnerability. If no patch is available, or if the theme appears abandoned or unsupported you should completely uninstall and remove all files associated with the theme or plugin from your site to remove the security hole.

  • Cubed Themes version 1.0 to 1.2. Remote file upload vulnerability. Distributed bythemeprofessor.com. Exploit released on 9 November 2013.
  • Army Knife Theme, unspecified version. CSRF File Upload vulnerability. Theme is distributed byfreelancewp.com. Exploit released 9 November 2013.
  • Charcoal Theme. CSRF File upload vulnerability. Distributed by the official WordPress repository. The theme hasn’t been updated for several years, so we recommend deleting all files from your system.
  • WP Realty Plugin may contain an email sender vulnerability. Please contact vendor for clarification. We’re seeing exploits that claim to exploit this hole. Plugin is distributed by wprealty.org.
  • The following themes distributed by orange-themes.com appear to contain a remote file upload vulnerability and we’re seeing exploits appear in the wild, all published around November 12, 2013:Rockstar Theme, Reganto Theme, Ray of Light Theme, Radial Theme, Oxygen Theme, Bulteno Theme, Bordeaux Theme. Please contact the vendor to find out of your theme is applicable and what action to take.
  • Amplus Theme version 3.x.x contains a CSRF file upload vulnerability. We’re unclear who the vendor is, but it appears to be Themeforest.
  • Make a Statement Theme version 1.x.x (also known as MaS ) contains a CSRF file upload vulnerability. Exploit distributed November 17, 2013. Vendor is themes.mas.gambit.ph.
  • Dimension Theme, unspecified version, contains a CSRF file upload vulnerability. Theme is distributed by ThemeForest. Exploit appeared November 17th, 2013.
  • Euclid Version 1 Theme contains a CSRF File Upload Vulnerability. Exploit appeared today. Theme is distributed by FreelanceWP.com.
  • Project 10 Theme, Version 1.0. Remote file upload vulnerability. Distributed by ThemeForest. Exploit appeared today.

See also CVE Details

Why You Should Upgrade to Windows 8.1

Eight Reasons to Consider Upgrading to Windows 8.1

Start Screen

UPDATE: Microsoft has temporarily pulled the 8.1 RT version due to issues some users experienced when installing the update on their tablets and mobile devices.

  1. The Start Button Is Back! One of the most hated Windows 8 changes was the missing start button.  Windows 8.1 brings it back to the taskbar—tap or click to get to Start. If you prefer, you can now go straight to the desktop when you sign in. And use the same background for both your desktop and Start. Plus, see all your apps at a glance in the new all-apps view.  Right +clicking on the Start button brings up a handy menu of power user and system management tools:  Event Viewer, Device Manager, File Manager, Control Panel, Run Command, Search, to name a few.
  2. It Has a Smaller Footprint: If you are already running Windows 8, upgrading to 8.1 will get back 8-15% of storage space
  3. Improved Search: Bing Smart Search gives you results from your PC, your apps, and the web. Results are in a clean, graphic view that lets you do things and launch apps right away. Find a song and start playing it, or find a video and watch it right away.
  4. SkyDrive,Your Files are Always with You: SkyDrive is free online storage that’s built into Windows 8.1. Save documents, photos and other files to SkyDrive automatically, and get to them anytime, from any of your PCs or devices. You can also use SkyDrive to protect your files if something happens to your PC. And you can use SkyDrive to share and collaborate with others, and see your stuff on mobile and non-Windows devices. Microsoft has made SkyDrive the default place to save new documents, and improved things on the back-end to ensure the system sees them as local files in every way that matters (for searches, etc.).
  5. Improved Multitasking: The snap feature is much improved allowing you to resize side-by-side apps to suite your needs. Depending on the size of your screen, you can see up to four apps at once.
  6. Automatic App Updates:  Windows Apps will now update automatically Updates happen in the background, and the Windows Store will stop bugging you with that ever-increasing count of pending updates.
  7. Improved Multi-Monitor Support: Web Designers, Graphic Artists and Photo Editors rejoice! External monitors are a big deal for Windows tablets, since many of them have serious computing power but screens that aren’t exactly what you’d call large. Now in Windows 8.1, users will have more control over how content renders on a second display, giving tablets more flexibility.
  8. Native Facebook App: If you upgrade to Windows 8.1, you’ll be able to run the official Facebook app for Windows, which provides a native experience for PCs.

Windows 8.1 was released October 17, 2013. It took about an hour to update my laptop from Windows 8 to 8.1.  My computer had trouble reconnecting to my router after the upgrade, but a router reboot solved the issue.  Other than that, the upgrade process went smoothly.  Learn more about all the new features here.

 Short Video on how to update to 8.1

 

iOS 7 Rolls Out Today – What You Need to Know Part 1

iOS7 on the iPadToday, Apple released the latest mobile platform update iOS7.  iOS powers the iPhone, iPad and iTouch devices, and is also used on Apple TV.  This article focuses on mobile devices.

Compatability

Before you upgrade, check to see if your device is compatible with iOS7:

In addition to the newly announced iPhone 5s and 5c, the following devices are compatible with iOS 7:

  • iPhone 4
  • iPhone 4S
  • iPhone 5
  • iPad 2
  • third generation iPad with Retina display
  • fourth generation iPad with Retina display
  • iPad Mini
  • fifth generation iPod Touch

Also note: Some new features are not available on older generation devices.

New Look

The first thing you’ll notice is the new look.  No more glossy beveled icons. The design goals were to make iOS7 “simpler, more useful and more enjoyable — but still feel instantly familiar.”  It takes some getting used to, especially to long-time devotees, but the overall reaction to the new design has been positive thus far. Designers across the web have been scrambling to emulate the “flat-look” trend.  Despite the cosmetic makeover, most of the features and options you are used to are still in the same places.  There are some new features to take note of outlined below under New Features.

 New Features

Navigation

Swiping, from the right and left edges of the screen, has come into it’s own as a quicker, more efficient way to navigate the iOS as well as getting around the web in Safari.

Control Center

iOS7 Control CenterThis feature has been on the user wishlist for sometime.  The Control Center  is activated by swiping upwards from the bottom of the screen to reveal a set of options for controlling various settings. The arrangement of these icons differs depending on whether you’re using your device in landscape or portrait mode, but the options, icons and functions remain the same. This feature seems to be more suited for the larger iPad screen. On the iPhone, Control Center takes up the majority of the screen, while on the iPad, it only takes up a quarter of the screen in Portrait mode. The layout is much less confusing as well, with each feature sectioned off in thirds on the iPad. Media controls are located to the left, Toggles in the middle, and frequently used app shortcuts on the right.

Because the feature is by default accessible anywhere, Control Centre can also be accessed from the lock screen without unlocking your phone. If you would like to change this setting, you can disable Control Centre from appearing on your lock screen or while you are using apps via Settings > Control Center menu.

Air Drop

AirDrop facilitates sharing between iOS devices.  It lets you quickly and easily share photos, videos, contacts — and anything else from any app with a Share button. Just tap Share, then select the person you want to share with. AirDrop does the rest using Wi-Fi and Bluetooth. No setup required. And transfers are encrypted, so what you share is highly secure. Your AirDrop visibility settings can be configured from Control Center to allow interaction with nobody, only those you know (your Contacts) or Everyone.

The option to share via AirDrop shows up whenever you click the Share button for most items including photos, videos, contacts and web pages. In order tt use AirDrop, choose an item you would like to share, hit the Share button (it looks like a box with an arrow coming out of it) and select the target device in the AirDrop field. If no devices show up, tell the recipient to adjust their visibility or add you as a contact.

Receiving via AirDrop is similarly simple, and whenever a user tries to share with you a confirmation dialogue will appear asking you whether or not you want to receive the item or not. The prompt will often include a preview of the photo or video and indication as to what it is you are receiving.

This new feature only works on the iPhone 5, fifth generation iPod Touch and the fourth generation iPad (and older) and iPad mini due to a dependence on a newer Wi-Fi chip found in these devices.

 

More on the Apple site
The folks over at MakeUseOf have put together a handy guide to all things iOS7

WordPress 3.6.1 Security Update

WordPress 3.6.1 Upgrade NowThe WordPress 3.6.1 Security Update was released this week.  I highly recommend updating your site as soon as possible.

3.6.1 patches 3 important security vulnerabilities listed below that exist in 3.6

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

Additionally, the WordPress Secutiry Team adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

Make plans to  upgrade to WordPress Core version 3.6.1 now to keep your site secure.  As always, be sure to backup your files and database before upgrading to 3.6.1.  I highly recommend Backupbuddy which allows you to easily schedule or run on demand either a full site backup or a database only backup.  If you are more comfortable having someone else run your backups and install updates, I am more than happy to help.

Mastering the Smart Sharpening Filter in Photoshop

Using the New Adobe Generator

New feature for Photoshop CC users promises to be a time-saver especially for web designers.  Justin Seeley gives a great overview of Adobe Generator in the above video.

Generator allows you to create image assets in real time as you work, eliminating the tedious steps of copying, slicing and exporting each layer manually, and saving you hours of time. Simply add a file extension to the name of your layer or layer group, and Photoshop will automatically create a JPG, PNG or GIF from the contents of that layer. If you make a change to that layer, the file is immediately updated. This means that you now have a folder of images that are always up-to-date with your Photoshop design.

Details can be found here on Adobe’s Blog

 

Precise Placement of Lens Flare Filter in Photoshop

Lens flares can add visual interest to your photographs.  Unfortunately the preview window Photoshop gives you for placing the flare is frustratingly small.  The following short tutorial steps you through precise placement of the lens flare effect on your image.

Step 1

Open your image in Photoshop

Step 2

Open the Info window.  You may have it docked on your workspace, if it is not available go the  “Window” menu and select “Info” or hit the [F8] key.

Step 3

Check that your measurement settings in the Info window are set to Pixels.  Locate and click the drop down arrow next to the X Y coordinates quadrant of the Info Window and select “Pixels”

Set Info to measure in pixels

 Step 4

Put your cursor over the spot in your image where you want the Lens Flare effect to start and make a note of the X and Y coordinates.

Position your cursor

 

Step 5

Alt+Click (Option+click on Mac) the new layer icon in your layers palette. The New Layer options window will appear.  Name your layer “Lens Flare”, change the Mode to: “Hard Light”,  and check the box next to “Fill with Hard-Light-neutral color (50% gray) then click [OK]

New-layer-options

 

Step 6

With the new “Lens Flare” layer selected, go to the “Filter” menu >”Render” > “Lens Flare“, the Lens Flare Window will appear.

Apply Lens Flare filter

 

Step 7

Select the Lens Type and Brightness for the  flare you want to use.  I usually leave the Brightness at 100% and select 50-300mm Zoom as the Lens Type, but you may want to try different settings.

Step 8

Alt+click (Option+click on Mac) in the small Lens Flare preview window that appears you will then have access to the “Precise Flare Center” setting.  Type in the X and Y coordinates you took note of in Step 4 then click [OK]

type in flare coordinates

 

You now have your lens flare, placed right where you want it in the image.  Since the lens flare effect is on its own layer, you have more control over the effect and can adjust the transparency, and add  clipped adjustment layers like hue/saturation to further refine the flare.

Final Lens Flare Applied