JQuery Plugin Zero Day Has Been Being Exploited for at Least 3 Years

The most popular JQuery plugin, the JQuery File Upload plugin- used by companies like Cisco and software like Github – has been vulnerable to attack since 2010 when the Apache project made a change that undermined a security assumption that the plugin had made.

To make matters worse, this very popular open source plugin has been forked in Github over 7,500 times, meaning that there are 7,500+ different versions of this plugin, maintained, maybe, by 7,500+ different development teams.

The person who identified the vulnerability has tested 1,000 of these versions and they are ALL vulnerable to attack.

The company that is supporting the original plugin has changed that version, but whether anyone will change the other 7,500+ versions is unknown.

In addition, even if those versions are fixed, it will take years for those fixed versions to be rolled out – assuming businesses can even figure out whether any piece of software uses an affected version of the software somewhere under the covers.

The software that uses it could either be open source or commercially licensed.

Okay, now that I have scared the hell out of you, what can hackers do using this vulnerability?

Bottom line, they can upload any arbitrary program, store it in any directory on the computer (such as a system folder). If they use it to overwrite a system file then all they have to do is wait for the system to execute that file and they own the system.

Nothing important.

Bottom line – businesses need to get ahead of the software supply chain problem. This is both for software that companies develop and software that companies buy or license.

Alternatively, they can wait for the hackers to take over their systems.

And in case you think it would be too hard for hackers to do – not to worry – there have been how-to videos on YouTube for years.

Information for this post came from ZDNet.