No ShrinkWrap Web2.0 Reviews

I read an interesting article via Slashdot today on recently-launched BlogSecurity.net. The article claims the Wordpress community is vulnerable based solely on the basis of the following:

The following statement was taken from WordPress: None of these [WordPress Versions] are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained.

Currently (at the time of writing this article) the latest stable versions are:

• WordPress 2.0.10 and
• WordPress 2.2

This smells of FUD. First off, what does this statement mean?

BlogSecurity incrementally harvested the WordPress software version from 50 blogs

How did BlogSecurity obtain the version information from Wordpress blogs? Which blogs did it select to poll, and what process did it use to select them? Where were these blogs hosted? Those questions, and more, are important to knowing the true impact of Wordpress security flaws and how dangerous they actually are.

Then there’s the issue with defining a “vulnerable” Wordpress installation. The article simply defines old versions of Wordpress carte-blanche vulnerable without providing any information on exactly what vulnerabilities exist. Information on what privileges and access is provided by security flaws, how easy the exploits are to use and other information is pretty important to a claim of a frightening insecurity rampant among an entire community. Additionally, 2.1.3 is defined as insecure by the article because it is replaced by 2.2; however, 2.2 was released only 8 days ago, and provides so many feature updates that I (and probably many others) are waiting before upgrading. If there were important security flaws in 2.1.3, I would expect Wordpress would provide security patches without forcing a feature upgrade.

Don’t get me wrong - articles like this are important, as they raise a more mainstream awareness on security beyond those who constantly read security sites. Frankly, I don’t know enough yet about the specific Wordpress security flaws patched in each version, but as a result of this article I’ll be reviewing them soon. However, basing a security statement of frightening, alarming proportions solely on what version software people are using to drive personal blogs without any further research on what specific security holes exist (and how easy they are to exploit and what privileges or access they give) is, in my opinion, FUD.

The author has promised a new posting “shortly” to address these questions. I’m interested to see what information he has to share, including what version of Wordpress he uses to run his blog.

UPDATE

SecurityFocus has a blurb on the issue, and Matt Mullenweg has joined the conversation. Still no word on how exactly the 50 blogs were selected, what kind of blogs they are, whether they are self-hosted (as opposed to auto-script installed) and how the information was obtained (SecurityFocus refers to it as a survey). With more information and a wider sample size, this could be useful information. As it stands, I still think it’s useless.

Thank you for visiting NoShrinkwrap. If you enjoyed this article, check out the related posts below and subscribe to our feed.

No related posts.