WordPress Releases Security Update
If you have automatic updates enabled on your WordPress site, then you were greeted with an email this week that your site had been updated to 3.9.2. The conscientious among us gave our sites a quick glance to make certain everything was still working as expected and went on, most users likely deleted the email and went on with life. There’s an interesting story behind this update though, and I think it’s a great indicator of how powerful and positive the open-source community is.
Oh, and in case you don’t have automatic updates enabled, you should update your site. Like, now. Go, do it. I’ll wait…
The Nature of the Exploit
The security hole opens the door for an XML Quadratic Blowup Attack. This involves XML parsing. If you’re familiar with the Billion Laughs denial of service attack, then this will sound similar. In a Billion Laughs attack, a single entity (typically “lol”, which is where the attack derives its name) is inserted into your site and expanded exponentially. While the initial code is only a few KB is size, it quickly expands to several GB, much more load than your server can handle, and crashes your site. Thus, it’s a denial of service attack. The difference in this security exploit is that, instead of using nested entities like Billion Laughs did, this simply repeats one large entity that is several thousand characters long over and over. Thus, a simple XML document quickly becomes several GB in size, and interrupts the XML parsing process. The end result is that your site and server crumble under the load. Mashable has done an excellent technical write-up of the attack that’s worth your time to read.
What To Do?
WordPress has released a security patch for this attack. As I mentioned above, if automatic updates are enabled on your WordPress site, then you’ve already received the security patch and you’re in good shape. This is exactly the sort of situation for which automatic updates were designed. If you’re in version control, or for some other reason have automatic updates disabled, then update now (with the usual precautions).
Why Open Source is Awesome
For those of us who love WordPress for the beautiful, simple, and sexy king of content management systems that we know it to be, we’ve all heard the haters. Many of my colleagues who are Drupal developers like to talk down about WordPress because of security issues. I actually heard about this exploit from a Drupal colleague first, because the same exploit impacted both platforms. What I love about the story behind this exploit is that engineers from both platforms worked together to patch the hole, and Drupal and WordPress released their updates simultaneously. Regardless of which platform you prefer, or for what reasons, this shows the best about the open source community. We work together for a better Internet, regardless of which platform you want your site to run in.