[June 3rd 19:40 UTC]
Earlier today (June 3rd), we were alerted to the fact that Avast AVG, a popular Anti-Virus software (specifically the Windows version) was incorrectly alerting its users of a potential Trojan virus in our included JavaScript file, events-manager.min.js
. This is a minified version of the events-manager.js
file that controls all front-end UI aspects of Events Manager.
We (as other plugins/themes/WordPress) minify JS files to reduce the size, therefore making load times faster whilst reducing your bandwidth costs.
Due to the popularity of Avast, and the fact that this affects anyone using it and visiting an EM-powered site, this caused a lot of confusion and panic. We received a lot of emails and forum posts about the issue.
#1 – Steps You MUST Take
Let’s skip to the important part… what you need to do so that you’re not affected!
This issue affects anyone using Events Manager on their site. We’re uncertain about which versions Avast falsely identifies a virus on that JS file, we have had reports that version 4.6.8 is affected and likely a few versions back too.
The easy solution is to just update the plugin to version 4.6.10. This now ships with the unminified JS file being included on your website, with newly-added options to include minified files from our settings page under General > Performance Optimization. We advise leaving this setting for now, until we confirm this false-positive has been acknowledged and updated by Avast themselves.
If you cannot or do not want to update to the latest version, there is another easy way to achieve the above, and that is to include the following line in your wp-config.php file:
define('EM_DEBUG', true);
In both cases, make sure you update your caches to ensure that the .min.js
file is not being served anymore.
Now… onto a breakdown of what happened.
Our First Steps Taken
Security is our top priority, and therefore the first step we took was to take this threat seriously and check the validity of this claim.
Our first thought was that (an unfortunate coincidence in timing) maybe one of our accounts were compromised as per this recent WordPress post, and some malicious code somehow made it to our recent update. We usually review every line of code being committed, but regardless…
We checked the SVN repository and compared the latest commit to one made three months ago. The affected lines in our main JavaScript file were correct. We then proceeded to re-minify the latest JS file locally, and compare the minified JS file we had with the one on the wordpress.org repo folder. They were the same. At this point we were fairly certain this was a false-positive, and informed our users of the current progress on both free and Pro forums.
Our focus was on the trunk folder in the SVN repo, because we don’t upload to the tags folder (the versioned folders which is what WP uses to serve the latest stable updates). The SVN history did not indicate further changes to the tags folder either. We upload to the trunk folder and directly copy from there to a new tag folder. For the curious, this is what we do:
svn cp "https://plugins.svn.wordpress.org/events-manager/trunk/" "https://plugins.svn.wordpress.org/events-manager/tags/x.x.x" -m "tagging x.x.x"
We then proceeded to compare these files with some of the reportedly infected JS files on live user websites. They too were the same, so we concluded with confidence at this point it was a false positive.
Check for yourself!
We made a little script that checked files or URLs against each other to ensure they are identical in content, by comparing MD5 checksums. We have made it public for now, so anyone in doubt can check their own JS files against the same version in the tags folder. However, we highly highly doubt that your JS file is infected, this was a false-positive.
‘Fixing’ the problem
Once we concluded that there was no virus or any foul play of any kind, we then started working on getting rid of these false notifications, since we understand that this would obviously scare any site visitors receiving this notice, true or not. Even though it was not our fault (or in our hands to fix the false-positive warning), it had to get resolved ASAP to prevent further unwanted consequences.
Upon further testing, by reproducing this ourselves by gaining access to a Windows environment with Avast installed, we concluded that the non-minified version of events-manager.js
loaded up just fine without any warnings. We immediately decided that the best course of action was to release an update which reverts to including the regular .js file instead of the .min.js version.
Additionally, we reported the false positive to Avast, and hope they proceed to update their databases so this doesn’t keep happening and users can resume serving the minified JS files.
Conslusion
Hopefully, everyone updates or switches to serving unminified files, Avast fixes their side of things and we can all continue along! For now, the tradeoff is likely negligible for most – the difference in size between .js
and .min.js
is about 100Kb, which is less significant in these high-speed internet days, and bear in mind that this file is usually loaded once per visitor since browsers cache these sorts of files. Moreoever, if you use CDNs then you are even less affected performance-wise.
Even with hindsight there’s not much (if anything) we could have done here to have prevented the problem. We did our utmost to react as quickly as possible. That said, we still send our sympathies to anyone affected by this incident.
Posterity
During the course of this day, we quickly created this blog posts and forum comments with some initial announcements to keep users informed. Here they are for posterity:
Main forum conversation on wordpress.org
Initial Announcements:
[June 3rd 15:16 UTC]
We have been made aware over the past 24 hours that Windows users with Avast AVG installed are getting erroneous virus warnings when visiting a website with Events Manager installed.
We have already confirmed that this is definitely a false-positive. We are working on a solution and will update you shortly here.
[June 3rd 16:13 UTC]
We have released version 6.9.10 which now loads the unminified JS file by default. We will follow up shortly.