WordPress users who updated to 2.1.1 need to upgrade ASAP:
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.
This is the kind of thing you pray never happens, but it did and now we
test
Umm… this wouldn’t have anything to do with why I get error messages when I try to access The Flight Deck, would it?
should be back up in a couple of minutes…
Code is?
Code is… never mind.
You were gonna say poetry…weren’tcha?
And then I read this: “…minutely external verification of the download package”. As written it sounds like a slapdash application of QA principles, as in: “we’ll give it a look, but it’ll be a very small look.” But Hey! Once an editor…
Sorry!
Got mine upgraded last night. I’m surprised this sort of thing doesn’t happen more often. Think of all the times you’ve download an application and blindly installed it without giving the briefest thought as to the authenticity the download? There are several readily available ways to safeguard against this. Alas, even if all the free/shareware application sources provided such safeguards, the end user has to manual perform the verification step — something that just isn’t going to happen until it is done for them behind the scenes.
Buck: indeed, a poor choice of wording in that sentence.
So, who might this “MasterCraker” be, anyway?
Seems like he jumped on this vulneability nearly “Instant”ly.
[Sorry. Not trolling. Merely amused at the security worries of even blogging. Hope the catch and prosecute all these on-says of itch-bays.]
-SJBill
Cracker?
As a white male I am, well, offended.
N
Oh no!! It’s INSTA-CRACKER!!
Just thinking like an engineer here, but if you download WordPress you’re downloading a binary image, right? You uncompress it, install it, and go about using it none the wiser that it’s been compromised. Which means L33t H@x0r either had access to the source code or managed to patch a binary to insert his little subroutine. This is not a trivial thing he has done and goes far beyond the standard trojan, virus, or worm normally seen. Long story short, this wasn’t done by some script kiddie, this was done by somebody who knows what they’re doing and Has A Plan.
The cure of course is a checksum of the binary code with an MD5 hash or something similar, but getting such functionality standardized and then built into the OS automatically and make the checksum verification incapable of being spoofed? Sorry, you might as well try herding cats as attempt to get all vendors to support such an idea.
– Max
Nose, the crackers are all down here. You’re relatively safe up there. Offense noted.
Time to start running MD-5 sums against them….