Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Bloggers' failure to upgrade risks attacks
Published: 2007-05-24

A small survey of blogs that use the popular WordPress blogging software has found that the sites' administrators are not sticklers about patching, which could leave the door open to increasingly common compromises with malicious JavaScript.

The survey, published by security analyst David Kierznowski on Wednesday, found that only one of the 50 surveyed WordPress sites had upgraded to the latest supported versions -- 2.2 and 2.0.10 -- of the open-source package. Nearly half of the sites had not even been upgraded from the unsupported 1.5 branch of the WordPress software.

There are likely two reasons that users have not upgraded, said Kierznowski.

"A lot of bloggers are not technical, and therefore, do not fully understand the reasons behind upgrading their software," Kierznowski told SecurityFocus in an e-mail interview. "The other specific challenge to WordPress is its plugin support. A lot of users do not want to upgrade because their favorite plugins would fail."

The survey, which Kierznowski acknowledges is not scientific, comes as security experts are increasingly worried about compromises that turn legitimate sites into points of infection for malicious software. Such attacks are using increasingly advanced JavaScript paired with obfuscation techniques to attempt to prolong a particular compromise. StopBadware -- a collaboration between Harvard Law's Berkman Center for Internet & Society and Oxford University's Oxford Internet Institute along with Google, Lenovo, and Sun Microsystems -- now lists more than 90,000 URLs that host links to malicious software.

The latest update to the WordPress software, released last week, fixes at least two significant security issues that could allow attackers to take control of sites using the blogging software.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus