Apple released Security Update 2008-005, which fixes numerous things. Including the infamous Cache Poisoning DNS Vulnerability, and updates PHP to 5.2.6. Run Software Update now to patch.
Ars Technica has posted a great overview of the DNS Exploit I’ve been talking about for the last week or so. Use doxpara to test your DNS provider.
You had your chance, but now the previously reported DNS vulnerability has been disclosed publicly, more or less. Dan put up this cryptic post, and the comments basically spell it out. The exploit is known, and it can be performed in less than 10 seconds. More here. Patch now!
“First, take the advisory seriously—we’re not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it.” Sage advice from Paul Vixie on the recent DNS Cache Poisoning exploit. Many systems remain unpatched, even though this security vunerability is critical and should be addressed immediately.
In a rare show of cooperative effort, multiple vendors released a patch today to their DNS implementations, the underlying technology behind connecting domain names to the IP addresses they live on. DNS Admins are urged to patch the systems in their charge, immediately . Securosis has the full story. Here’s a tool to test to see if you’re at risk to the Cache Poisoning exploit.
Interestingly enough, only one DNS implementation was not affected: DJBDNS.
WordPress Exploit Scanner 0.1 has been released, in response to a comment on a recent thread about old versions of WordPress sites being hacked. You may have spotted this in your WordPress dashboard. Problem is, it only works for v2.5.1+, so it will only be useful in keeping you safe going forward. I just installed it on a basic WordPress site with K2, and got the following results:
Suspect Plugins
These plugin files look suspect. Please verify they are files you uploaded.
- ../themes/k2/app/includes/k2-sbm-loader.php
No suspicious posts or comments found
Hooray! No suspicious text found in your posts or comments tables!
For a brand new plugin that’s not bad, but throwing a false negative on such a popular theme is something that will need to be addressed. I’ll be keeping an eye on this one.
WordPress 2.6 will be more secure out-of-the box including better support for running the admin over SSL and changes to disable the remote publishing protocols by default.
We have choosen to disable Atom Publishing Protocol and the variety of XML-RPC protocols by default as they expose a potential to be a security risk.
Peter Westwood, a Lead Developer for WordPress, revealed they are making the default install more secure. This will go a long way to making WordPress more secure. If your security consciousness has the dial tuned closer to the paranoid end of the spectrum, then check out Blog Security’s WordPress Security Whitepaper, which lists out many things you can do to lock down your self-hosted blog, and keep out the baddies.
PDF from Apple on Leopard Security. Its pretty meaty.
A good lesson from our friends at xkcd.