Followup on WordPress Security Issue

Time for some Q&A here…

Below are a few of the most oft-heard questions/statements about my previous panic-level-3 announcement regarding a serious security issue in WP and how to easily fix it temporarily (one checkbox to untick)… Along with answers:

“Is this a joke/hoax?”

Is the date the 1st of April?

“How critical is it?”

Critical enough.
Not all WordPress users are at risk, but I don’t suppose that would be of much comfort to you if you belonged to the 30% hackable installs.

“Will you tell me more about this exploit? I swear I won’t tell anybody else! This will stay between you, me and the World Wide Web…”

Frankly, if you do not understand why I won’t even be giving the slightest hint of what the exact problem is before enough people have applied the temporary fix (disabling ‘user can register’, under Options >> General) and an upgrade has been released, you are the last person I should be telling to about this.

“Are you a WordPress official? a WordPress developer? Anybody with a title I can trust?”

Absolutely not. In fact, less than ever.

“Why don’t you leave that up to the Big Guys Who Know What’s Best For You®™ and go back to getting smashed on gin somewhere under a Parisian bridge then?”

Take your pick:

Because over the past year of distant involvement in the WP community, I have come to question and, well, often outright disagree with the way the Big Guys Who Know What’s Best For You®™ handled similar problems in the past.

Because, all modesty set aside, I am not sure how their strategy for handling such problems (which I have seen in action in the past) has proven better at containing disaster than the one I adopted here.

Or perhaps simply because, as some Big Guys Who Know What’s Best For You®™ have implied in one helpful bit of Shoot-the-messenger communication, I am an attention-craving moron with nothing better to do with his time than scare his fellow WordPress users into <gasp> unchecking one single option in their admin screen.

“Why do you relish so much in fear-mongering, FUD and…
OMFG…
What is this?
Snakes!!!! There are motherfuckin’ SNAKES on WordPress!!!
Ahhhh! do something!!!”

Right.
Why in the world would anyone want to make their security announcements sound too important?
All apologies for that bit of hysteria. Let me go back and add a few soothing pastel tones and some muzak to the original post.
Let’s rephrase too:

Hello, there’s a teeny itty bitty problem with your WordPress install, feel free to do something about it, but don’t worry too much otherwise, it’s all good man.

There. Better?

Now, seriously, to those who have been equating my behaviour with shouting “bomb” in a crowded airport: get. a. fucking. grip.
This is the internet, not an airport. Computer mice stampede rarely kill anybody. And I’m sure even the most cheetos-infused computer nerd’s heart muscle can take the news without prematurely collapsing.

Making it sound serious is a) the only way to spread the news b) perfectly justified given the fact that, you know, this is pretty serious.

Truthfully, I don’t think there is much harm done in upping the amount of caution people display when using server software. Such exploits are common, and not solely a WP problem (all server applications have had similar issues at one point or another). Lack of awareness in the general public, if anything, is the danger. Sorry if that doesn’t really bode well with some people’s marketing pink-cloud vision of the world.

Just consider yourself lucky I didn’t use:

Snakes on WordPress
(directorial credit: Leftjustified)

“You mean you didn’t just write that thing in a fit of aimless panic to scare other people out?”

There again, despite what some well-meaning people seem to have charitably been hanging on my head, I have given a bit of thought to the problem before deciding the best course of action was to invite people to disable an option in their admin tools. And for those who really care, here is how I see things:

  • An exploit in WP was brought to my attention. It was neither the first one, nor probably the last one. Exploits are an unavoidable byproduct of major projects, they are not a fatality: you fix them and move on.
  • My very first reaction with this, was telling Geoff Eby, who discovered it, to contact WP devs and take it to them in private.
  • As would sometimes happen, it seems, the answer wasn’t really overwhelming, and it appeared some devs (suspicion confirmed ever since) even considered this to be of the “Not WordPress’, Somebody Else’s Problem” category. A position I reckon everybody has recanted ever since, but that threatened to be the official position then.
  • Now, I am sure a fix will eventually be released. It will be the fourth upgrade this year. And I bet you the whole “major security issue” thing would not exactly be put in large blinking letters on top of the official download site. Ya know, you don’t want people to panic and start thinking there may be a problem or anything.
  • I have absolutely no stats to confirm that, but I can also bet you there are still thousands of installs of WordPress that haven’t even installed the previous security upgrades. “Too bad for them”, I hear you say? Well, sure, it’s not very smart but you can’t blame them for eventually tiring of following announcements and refusing to sort out themselves between minor bug-fixing releases and major security-plugging ones (a difference that’s pretty much inexistent in all WP official channels).
  • As a result, I get word every day of one WP install or another that’s been hacked, usually using an exploit supposedly fixed months ago (just have a look at some of the comments in the previous post).
  • I would be amazed, alarmist tone notwithstanding, if more than 50% of WP installs throughout the world were upgraded to a safe version by the end of the Summer.
  • On the other hand, the second the patch is released, every malicious coder with two bits of brain will know exactly how to exploit older versions and will go to work.
  • The fix I invited everybody to apply (namely: uncheck the ‘allow user registration’ option in WP’s General Options panel) is both simple and does not reveal the exact nature of the exploit. Not only do I trust it to be more widely applied than a full-on upgrade by the less computer-proficient users, but it will ensure, by the time the upgrade is there and the exploit publicized, that much fewer vulnerable installs remain.
  • So, think of it as a two-step process where we can afford to raise awareness and offer a simple temporary fix without risking to help script kiddies too much, then release the usual half-ignored patch and not have to watch the entire WP world crumble as dozens of unprotected blogs get defaced by 12-year old pimply teenagers.

Or, you could just follow “protocol”, discuss the exploit at length in private developer mailing lists, safely out of sight from the general public (but well read by possibly every last malicious coder in the world) and release yet another semi-silent security upgrade while hoping good people hear about the news before the bad ones do…

But feel free to ignore this ranting of a madman: after all, perhaps I was just bored and figured this would be the best way to have some fun, without incurring serious cavity damage in an airport security room for mentioning snakes while boarding.

For anything else, feel free to contact your nearest WordPress Official for further word on what to do. I’ve done my bit.

Update: WordPress upgrade 2.0.4 should now patch this bug. If your version of WordPress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).

Filed under: Geek, WordPress

43 comments

  1. DrD – I’m shocked so many people have tried to fault you for what you did. I for one appreciate it. If other people want to play possum and roll up in a ball that’s their problem. Running server software is serious business and can cause serious problems. While we will always have script kiddies looking for version ‘X’ that they can exploit, I’m still amazed at the ones who poke at custom written code looking for exploits and find them (frined of mine got nailed recently by this – bad code architecture and poof – they’re a UDP flooder in a DDoS.)

    I think WordPress is an excellent system – but developers have to take security seriously. If they don’t then no matter HOW great their product is, its dangerous to use. WordPress in open comment mode was unusable until SK2 came along. It was the only solution that worked. Akismet is great, but combine it with SK2 and it’s that much better. Keep up the great work and I can only speak for myself, but if any other security alert hits my SK2 news window, no matter how shirll, I take it seriously.

  2. Thanks for alerting people here, and with a visiblie red banner announcement in my spamkarma control panel. (Which seems to have disappeared? I’m glad I clicked it and read.)

    I relayed the alert on my knitting blog. There are *tons* of knitters who have not installed the most recent upgrade (Heck, some are still using WP 1.2!!!)

    For the record, I got hacked long ago. It wasn’t due to this particular issue. ( I did stuff to tighten up my own security.)

    Getting hacked is inconvenient. Very inconvenient. Suggesting this simple step to prevent the possibility, was very wise. If another one arises, please do mention it!

  3. It’s not for the first time that Matt has proven himself of being unable to handle security issues regarding WP seriously and with the appropriate sensibility, and it won’t be the last time as well.
    So I wouldn’t bother at all about his manner deficits as long as there are still others that know how to handle these topics right.

    I am, for myself, not a great friend of full nondisclosure policy, but security alerts like the one you’ve proven, which include both a small hint for the knowing ones and a quick solution for the usual users are totally okay for me.

  4. Thx bud, I would’ve caught this last night if I didn’t go out on a rare occasion. The scary thing is, why isn’t it on the Dashboard yet?! Maybe it has something to do with the fact that my inquiries never get answered on the support forum lol.

    Thx again.

  5. Lucia: re. sk2’s announcement: yes, as of now, they will only appear once and not bother you again (they are meant to be really lightweight upgrade announcement, not a permanent nag each time you log in).

    Elliot: Please, call me a doofus, but at least give me enough credit that I wouldn’t suddenly post a panicky announcement regarding an exploit fixed two months and one version of WordPress ago.

    So, just in case the post above somewhat didn’t sound clear enough: no, these people aren’t “on top” of anything, except last month’s exploit du jour and no, they aren’t “explaining it better” (what exactly do you expect me to do? post a detailed how to on this exploit?).

    [sigh]

    Everybody else: thanks for the support…

    And as for anything else regarding further handling of this problem (and, err, why it’s still not appearing on WP’s dashboard feed instead of, say, Matt’s blog report about the latest cool web2.0 conference he attended somewhere)… Please contact WP oils directly and take it to them. I really am in no position to answer such [legitimate] interrogations.

  6. @Elliot: This is not the same thing.

    I’d like to put out more advice, or a warning, but I am not qualified to decide how to direct this situation, or solve it, no matter how useful I think my ideas are. I passed on knowledge of it to WordPress devs last Sunday morning. By Tuesday I wondered why I couldn’t get a response.

    There’s a small handful of people I identified as knowledgeable about how to proceed, and on Wednesday I informed one, Dr Dave, simply because he was available.

    His idea was that a warning should be sent out immediately to prepare people for an upcoming patch, and that waiting for Matt or Ryan would take too long and they would avoid doing anything for too long when they were ready to acknowledge the problem. To Dr Dave’s credit, Ryan did initially respond to it as something that WordPress devs could ignore. And with help from Dr Dave, he’s since changed his position of this exploit as something that does require a patch.

    So it’s taken until twelve hours ago for the problem to be acknowledged properly and many people have been notified. I’m not sure how long it will take for an official announcement, but the delay is confirming for me why Dr Dave chose the action he did.

  7. Dr. Dave.
    Your red banner announcement is actually much more effective than the dashboard. I don’t know about other users, but I rarely check the dashboard. I check issues associated with spamkarma or Akismet every day. So, it worked very well. I was just wondering if I was hallucinating because I knew I’d seen the red banner and later it was gone!

    I think it’s terrific you came up with the idea in the first place. So, thanks again.

  8. Pingback: The Code Cave
  9. Lucia

    Well, I’m very glad to hear it. Regarding Dashboard announcements usefulness, well, I’m trying as much as possible to stay out of this debate, because sincerely, I’ve really had my share, but: at the time, many people (yours truly included) pointed out that it was absolutely pointless to have such a way of communicating news, if it was abused for ego gratification the way it was. It should be bleeding obvious that broadcasting 20 loosely related “WordPress News” a week (that is, posts talking about WordPress on either of the main developers’ blog) would make this channel all the less suited for real upgrade and security broadcast.

    As I said, the debate happened, and as was usually the case, didn’t really lead anywhere (at least not where the majority of sensible people were taking it).

    Now you have a better idea why I picked the road I did.

  10. Ok.. I looked at the dashboard. I have a question:
    1) When the WP guys announced the upgrade to 2.03, they refer to a bug reported at bugtrack. Is bugtrack a blog? A spot on the WP site? Why didn’t they link to it so we could read about it. (I googled on bugtrack. It’s listed on many of the blog announcing the upgrad– but not linked. )

    2) What the heck was the security bug? Presumably it’s already discussed at bugtrack, so dedicated hackers can find it out, but people who spend their time doing other things aren’t going to be spending their days searching.

  11. Pingback: T. Longren
  12. Dave,

    thanks for the advise!

    Have you tried to submit this issue to SECURITYFOCUS or any other CERT? Probably that will propagate it much faster and better.

    Ignacio.

  13. Dear Dr. Dave, thanks for the announcement – but please, can you clarify if the issue has been fixed in 2.0.4?

  14. Yeah, inquiring minds want to know, does 2.0.4 fix the issue? I had several of my older sites still on 2.0.1 and 2.0.2 so I took the initiative today to upgrade every one of my sites to 2.0.4.

  15. Update on the security flaw

    The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.

    As for the “users can register” option: enabling it back should be OK.
    I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).

    (*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want investors users to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.

    And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.

  16. Regarding people still running 1.5:

    Trust me, I am the first one annoyed by this (considering how some of my blogs still happily run 1.5 with little will to upgrade), but it is now time to seriously consider upgrading.

    I wished there was a better way, especially considering WP 2.0 comes with its own bunch of issues, bugs and security issues, but it will become increasingly tedious to keep up with all the security fixes and provides 1.5-compatible patches for them. Chiefly thanks to the aforementioned level of transparency and communication around these flaws: it takes skills worthy of a 70’s Eastern European spy to manage and extort clear information from the Powers That Be on every single security flaw that may affect each version of WordPress.

    I for one, will keep user reg disabled on my 1.5 blogs, quickly tweak the most critical bits and look into upgrading to an easier-to-maintain platform (be it WP or other) soon enough. I advise you do the same or your life will be a kafkaesque hell of muddy bug report decrypting and patch maintenance.

  17. Pingback: rootsvr.de Blog
  18. Pingback: http://localhost

Comments are closed.