5 posts • joined Friday 9th January 2009 10:01 GMT
TimThumb is not a WordPress plugin.
It is more commonly a part of themes and other WordPress plugins, so you won't know that your TimThumb is out of date. You have to trust that the WordPress plugin creators provide an updated version.
Unfortunately, many of the plugins and themes using TimThumb are commercially paid editions which are not managed directly by WordPress' own plugin database, you download and install them semi-manually or fully manually.
Also, these plugins and themes rarely publish which TimThumb version they use, they don't publish security advisories or notes regarding their products, and and and.
Nevermind that the entire concept of TimThumb is b0rken, technically speaking. :)
Generally, allowing pluggable PHP code is a Bad Thing security wise.
And we never did!
That is, at home we started with a 5 MB HDD connected to the dual-drive IBM PC. We never managed to fill that disk, and couldn't see how it would even be possible.
Later, we upgraded to an IBM PC XT with a 10 MB HDD, and then we filled it, of course. :)
Yes, Flash 10 is vulnerable.
The link IS in the advisory that El Reg links to, but the iDefense advisory sucks royally.
"iDefense has confirmed the existence of this vulnerability in latest version of Flash Player, version 188.8.131.52. Previous versions may also be affected."
Well, that's not the latest version of Flash Player, not by a long mile. This marks down iDefense as an unreliable source for advisories in my book.
It's not as if botnets ...
... have much CPU power available for massively parallel computing, now is it?
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Shivering boffins nail Earth's coldest spot