Just a clarification on today’s WordPress security breach – I’m getting quite a few emails asking me what it’s all about and still yet, I’m reading lots of inaccurate recaps from bloggers (such as this one) around the net. Let me be clear – this is not a security flaw. This is a security breach. The difference is that a security flaw is an error of mistake. It’s code mistakes and overlooked holes. Security breaches are much more malicious and not a result of inadvertent mistakes in coding. This security breach was the result of a malicious hack on the server that modified already released code. Automattic’s liability in this was not having an MD5 hash of the package for comparison – it was not an inherent weakness in WordPress 2.1.
Just so we’re clear, the problem was not in WordPress 2.0.x, or 2.1 – it was in some releases of 2.1.1. Folks who downloaded 2.1.1 before it was breached may be okay but since there is no way to really know who got the bad stuff and who got the good, the safer bet is to just get WP 2.1.2.
Hire me! I am actively looking for full-time work. If you're interested in discussing opportunities, please email me at aaron@technosailor.com
Just to clarify – I didn’t specify anything on today’s WordPress security exploit other than quoting WordPress.org. I merely mentioned about it because I was writing on topic of security at that time.
True, but you blur the line between flaw (WordPress’fault) and breach (hacker’s fault) when you say:
What does upgrading to 2.1 have to do with the security breach around 2.1.1?
First of all, I’ve already upgraded my blog to 2.1, I didn’t upgrade it to 2.1.1. And the v. 2.1.1 was breached. So I’m indeed glad, that I didn’t rush with upgrading my blog to 2.1.1 from 2.1. So I don’t see what it’s got to do with an “inaccurate recap”?
Secondly, I disagree with you that the breach is only “hacker’s fault”. WordPress is responsible keeping their servers secure.
Secondly, I disagree with you that the breach is only “hacker’s faultâ€. WordPress is responsible keeping their servers secure.
I’m not going to argue with that. There should have been checksums on all downloads at the least. Automattic is still a young company that is learning as it goes. Call this a hard lesson learned.
At least we agree on something ;-)
Aaron,
Providing checksums is a small step in the right direction. However, it is useless in itself when the hosting file servers (web or ftp)got compromised, since it’s trivial for the hacker to modify the listed checksums to match the altered code.
I’d think digital signature is in order here. As long as the signing server is separate and intact, site owners like us can verify the integrity and authenticity of a package independently of the downloading site.
Automattic does not run wordpress.org! They’re very different entities.
There are MD5 sums on the site, but no one checked them, which is fine because it’s not really their responsibility. We’re doing an automated file checker that will modify us immediately if anything is changed.
Matt-
Where are the checksums on the download page? To this day, I don’t see them. Though I agree that that is only minimal security.
Incidentally, I think you’ve got a tough fight on your hands if you are going to take the stance that Automattic wasn’t responsible for WordPress. Automattic may not “run” WordPress.org in that it’s open source. But Automattic is known for WordPRess and I’m assuming the server was an Automattic server and that it was Automattic guys that resolved the issue. It’s going to be hard convincing people that Automattic is not involved with WordPress in this situation. :)
The MD5s can be more obvious, but I don’t think that addresses the fundamental issue.
I have no problem with Automattic being known for its contributions to WordPress, including providing most of its infrastructure, but I think it’s insulting to the larger community (including yourself) to refer them synonymously. I’m very proud of how people inside and outside of Automattic responded to this problem.
My contribution to this conversation was not intended to be “insulting”, Matt. In fact, my comments really had very little to do with highlighting anything about Automattic’s role. I do not blame Automattic or anyone other than the bastard who compromised the server. My comments were merely in response to inspirationbit (who also took offense when none was intended – apparently, I’m striking out lately).