Wednesday, July 23, 2008

You want to read this

I know this, not because of my exceptional perceptiveness, but because you're reading a blog.

Ever wondered what sort of security a blog has? Could someone take over a blog and post malware that might infect you? As a full service security blog (when I'm not shooting Teletubbies), let's take a look.

One of my early posts talked about security vulnerabilities (flaws that could let a Bad Guy take over the computer or program). Now, not all vulnerabilities are equally serious, or equally easy for the Bad Guy to exploit. However, comparing the number of vulnerabilities in two different, competing products can be instructive.

CVE is an open source repository for vulnerabilities, tracking vulns in pretty much everything. Like Blogger, Livejournal, and Wordpress. You can query for bug count. Let's look at a score:
Blogger: 21

Livejournal: 5

Wordpress: 138 (ouch)
So We'erd Beard, you win the "Most secure blog in my bloglist" award. I owe you a Teletubbie. Lissa, not so much. Everyone else, you're in the same boat as me, for whatever that's worth.

Now numbers aren't everything, so let's take a little deeper dive.

Blogger. Still new vulnerabilities being discovered, but at a fairly low rate (3 so far this year). Least important is that someone could change your post. Most serious is the directory traversal flaw that lets someone run code remotely - web servers saw this sort of thing a long, long time ago. Let's party like it's 1999. We'll give Blogger a "Gentleman's C" for a grade.

Livejournal. No recent vulnerabilities (good). Most recent vulnerability is a stack based buffer overflow (bad). Still, it was a while ago, so let's give Livejournal a B-.

Wordpress. 43 this year. Ouch. Even worse is that there's a bunch of stuff like this:
Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
This means that a Bad Guy can feed malicious HTML and scripts to a wordpress blog, and you folks could be attacked by it. And it's not just vulnerabilities: got yer Wordpress exploits right here (don't try this at home kidz, we're trained professionals). Wordpress gets an F (sorry, Lissa).

Cross Site Scripting is serious. Here's a great demo on how it works - go watch it.

So what do you do? First read my other early post on safer browsing. Second, ditch Wordpress (if you're paranoid like me). There's bad juju in them thar hills, and it could leave juju stains all over your computer. It looks like a trifecta of a popular application, lousy security programming, and a lousy architecture that lets any Tom, Dick, and Harry write their own lousy security in their plug-in. Get out of there.

Do it for the childrenTM

1 comment:

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.