Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Wikipedia dodges critical vulnerability that could have let attackers take over

Ellen Messmer | Jan. 30, 2014
Action taken quickly to fix MediaWiki code, but event shows why open-source security matters more than ever.

The possibility of Wikipedia being taken over by attackers was just foiled by quick action on the part of Wikimedia Foundation, the nonprofit that operates Wikipedia, with the help of Check Point, the security firm that discovered the critical security hole in its code.

"It is conceivable that someone who discovered this vulnerability could have executed code that may have made it possible to access user data," says Wikimedia Foundation spokesman Jay Walsh. But it was Check Point researchers who discovered this vulnerability first in the MediaWiki project Web platform, which is open-source code used to create and maintain wiki websites.

Check Point says what its researchers uncovered was a remote-code execution flaw in MediaWiki 1.8 onwards where the attacker could potentially gain complete control of the vulnerable web server. A patch "was applied to the software within 45 minutes of discovery," says Walsh. WikiMedia has also released the patch today so others can apply it to the open-source code as well.

This is only the third time since 2006 that a remote-code execution flaw had been identified in MediaWiki open-source code. If an attacker had discovered it first, then it would have been a "zero-day" vulnerability without a patch, says Patrick Wheeler, head of threat prevention product marketing at Check Point.

Check Point says if the vulnerability hadn't been discovered and fixed, an attacker could have been able to control the web server or any other wiki' site running on MediaWiki, and potentially inject and serve malware-infecting code to users visiting those sites.

This would have been a disaster to the millions of visitors to the site each month, and a blow to the respected open-source project that has helped foster the popular online Wikipedia encyclopedia.

Charles Henderson, director of application security services in Trustwave's SpiderLabs research division, says it's not that vulnerabilities are "necessarily better or worse" in open source as compared with closed source, proprietary code. The point is that open source code has become so widely used, including by business, any serious security issues in it that crop up can't be ignored.

Some open-source projects do a good job of managing security updates, says Henderson, while others seem more lax. But the openness of how code is developed and if necessary, patched, means that attackers can monitor open source development fairly easily, he says.

Sonatype CEO Wayne Jackson says the security of open-source code is getting more attention from those in the federal government, for example, who want to know more about how it gets developed. Jackson says there have been a string of security incidents associated with identified open-source vulnerabilities, such as last summer when a vulnerability in the Apache Struts web application framework was sold as an automated attack script in Chinese circles online. The Struts vulnerability was also tied to a cyber-intrusion into a Chicago-based trading exchange around that time, Jackson adds.


1  2  Next Page 

Sign up for MIS Asia eNewsletters.