On Tue, Sep 15, 2009 at 6:36 PM, Benjamin Lees emufarmers@gmail.com wrote:
On Tue, Sep 15, 2009 at 1:38 PM, Gregory Kohs thekohser@gmail.com wrote:
My favorite part of that article: "Even the open source MediaWiki software has more than its fair share of security vulnerabilities." As written, this suggests that there are unpatched security vulnerabilities; I can only assume the author meant that the software has _had_ more than its share of vulnerabilities. Even still, that seems like a made-up claim: I suspect that a quantitative study would show that MediaWiki has actually had fewer security vulnerabilities than comparable software (and that's not even counting the disparity in severity/exploitability that Aryeh notes). WordPress, for instane, has 183 entries on the NVD; phpBB has 240. (Analysis using the NVD is somewhat unfair, since it seems to make no distinction between the core software and extensions or derivatives. It's also unclear how comprehensive the NVD is, given that they don't have an entry for the XSS vulnerability Aryeh mentioned.)
Beyond that, I think the article misses the point of open source as regards security. Open source development doesn't automatically prevent holes from appearing (though it can, since code will have more eyes on it before it's deployed); it makes it easier to identify and patch them. Of course, it would be difficult to compare the number of vulnerabilities in open-source software to that in closed-source software, since open-source software developers usually try to publicize vulnerabilities as much as possible, while closed-source software developers usually want to avoid disclosing vulnerabilities.
On Tue, Sep 15, 2009 at 5:12 PM, Aryeh Gregor < Simetrical+wikilist@gmail.com Simetrical%2Bwikilist@gmail.com> wrote:
Compare to WordPress, where if you don't keep up-to-date you can get your server taken over and used to send spam (this has been happening recently, I've heard). Not only is that worse for you, it's much more profitable for attackers, so you're likely to see more widespread automatic exploitation. I haven't heard of widespread exploitation of any MW security vulnerability, although it's possible it's happened.
I haven't even heard of _isolated_ exploitation of MediaWiki security holes, let alone anything widespread. Aren't most MW vulnerabilities discovered through audits, code review, or third-party reporting, rather than demonstrated exploitation? _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Last point is dead-on. Almost all of our security issues that I can remember come in as bugs--or e-mails to security@wikimedia.org-- that describe a potential attack vector and possibly a use-case to trigger the described issue. This is how almost all of our bugs are reported and fixed. Major security issues (the XSS ones in the installer is a great example) usually get an immediate patch and release. These are almost always backported to the still supported releases.
The thing that the vulnerability list does not take into account is that old releases are no longer supported. I'm sure there's a whole lot of unpatched vulnerabilities in 1.8 or 1.9. These versions are also unsupported. If you come looking for help in #mediawiki and you're running an outdated version, the most help you'll get is helping you upgrade.
We drop old versions after awhile because it's impossible to maintain an infinite number of back releases. I'm sure there's buffer overflow possibilities in Word 97 that don't exist in Word 2007. We don't see people flipping out over that, do we. Upgrade and these issues quickly become non-issues, period.
Current security issues deserve investigation and fixing, bugs from old and unsupported releases don't, and that site is pretty much a list of the the latter.
-Chad