Forgot your password?
typodupeerror
Security Worms

Wordpress.org Warns of Active Worm Hacking Blogs 103

Posted by timothy
from the in-this-case-the-worms-are-actually-human-beings dept.
Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."
This discussion has been archived. No new comments can be posted.

Wordpress.org Warns of Active Worm Hacking Blogs

Comments Filter:
  • Re:Hey Wordpress... (Score:3, Informative)

    by zn0k (1082797) on Saturday September 05, 2009 @07:11PM (#29327227)

    As outlined in TFA (yes, I know, I know) that's snake oil. You can run response tests to determine a version.

  • Re:aghhhh!!! (Score:2, Informative)

    by reboot246 (623534) on Saturday September 05, 2009 @09:02PM (#29327919) Homepage
    And isn't it about time you took the hint? :)
  • by phoebe (196531) on Saturday September 05, 2009 @10:33PM (#29328391)

    There is also a interesting point regarding software repository support. I have a server running Ubuntu 8.04 LTS Server which is supposed to be supported till April 2011, however Wordpress is in the Universe repository and not updated since November 2008 and is vulnerable to a few attacks that delete content.

    If these packages are not going to be updated should there not be at least a warning, or method to bar such packages from being installed after security issues have been raised?

    Wordpress 2.3.3 [ubuntu.com] in 8.04 LTS Universe repository.

  • by choongiri (840652) on Saturday September 05, 2009 @11:30PM (#29328685) Homepage Journal

    *sigh* I don't think you understand how package management and security fixes in debian / ubuntu works. New releases of software almost invariably introduce new features, as well as bug fixes. For that reason, important fixes for security issues are backported, and the version number stays the same. (Introducing new features to a LTS / stable release wouldn't be acceptible.)

    Now, what you said is technically true - if it's not being actively maintained for security fixes it *should* be removed - but the fact that Ubuntu's universe package of wordpress is still at 2.3.3 doesn't in and of itself mean that it hasn't been patched with the latest security fixes.

  • by Patheos (865163) on Saturday September 05, 2009 @11:54PM (#29328821) Homepage
    I personally use www.SimpleScripts.com for this exact reason. I use a ton of open source software for my websites and it is hard to keep track of all the updates made to them. SimpleScripts emails me every time an update comes out and it provides me a one click upgrade to the latest version for Wordpress, phpBB and Drupal which are the 3 systems I use the most.
  • by palegray.net (1195047) <philip.paradis@pa l e gray.net> on Sunday September 06, 2009 @12:32AM (#29328973) Homepage Journal
    I've verified that the OP's assessment of the situation is valid with respect to WordPress (a fresh install from the repos exposes unpatched vulnerabilities long after patches are released to correct the situation).

    I understand the Debian/Ubuntu package management and security release system quite well; I happen to work or a certain "Large Virtual Server Company" and I've been using Debian almost exclusively on my systems for almost ten years.
  • by Zancarius (414244) on Sunday September 06, 2009 @01:18AM (#29329179) Homepage Journal

    What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

    The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check their site.

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...