MySQL.com compromised by SQL injection

This day just had to come:

MySQL.com compromised

MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A post was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure.

What is worse is that they also posted the password dump online and some people started to crack it already. Some of the findings are pretty bad, like that the password used by the MySQL director of product management is only 4 numbers (6661) and also posted multiple admin passwords for blogs.mysql.com…

MySQL have not said anything about this attack, but we will post more details as we learn more about it.

Source: Sucuri

The irony.

Security update, time to upgrade Django

Django has a 0-day security vulnerability. It’s time to upgrade:

Security updates released

Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.

Description of vulnerability

Django’s forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.

Affected versions

Any Django application making use of EmailField or URLField in the following versions is vulnerable:

  • Django development trunk
  • Django 1.1
  • Django 1.0

Read more at Django blog

Round up on WordPress and opensource vulnerability

Not long ago, word’s been going around to upgrade WordPress to its latest version 2.8.4. Robert Scoble suffered some loss, some hackers broke in and deleted some of his blog posts. In addition to that, the hackers also placed malicious code in his archive pages and Google sent him an email stating it has removed his blog from its indexes.

I would be terribly upset if such things happened to me. I keep updating WordPress just in case. But what happens when it did get hacked? Are the WordPress developers to be blamed? One of things brought up is custom plugins being incompatible with the new WordPress. I hate to say this but when it comes to security, it’s still more important to temporarily disable the plugin and fix it ASAP instead of not upgrading. The risk is just too much.

And backups. Do them frequently. If it’s hard to do backups, just pay your host to do so. I just pay them to settle those stuff for me. I’m not too clever with all the backup utilities. I never had the time to explore them.

One of the comments in Scoble’s Friendfeed caught my attention:

This recent wave of WordPress incidents shows the negative side of using open source software. Matt says that there are many people looking into WordPress’ source code, but the problem is that probably half of those people have malicious reasons for doing so. – Nikolay Kolev

To which Matt of WordPress fame replied:

Nikolay, it’s always better to have more people looking at the code, because a bug that’s been found is better than a bug that hasn’t. WordPress used to get almost no security problems and people thought it was because it was coded differently, when in fact it was coded far worse than it is today it just didn’t have enough users to make it worthwhile to target. Also where many commercial or proprietary companies try to minimize information about their problems or sit on a fix for months so they can package a bunch into one update, we put everything out there doing a new release as soon as possible after a problem has been reported. – Matt Mullenweg

Here’s another response from another user, Tim:

Nikolay: I would also push back against your assumption that using Open Source software equals less security. Microsoft Windows and OS X are both closed source and both have security holes – there is a competition each year to help MS and Apple find them and fix them. Both Apple and Microsoft came away with security holes to fix this year. So just because it’s open source doesn’t automatically make it more open to security holes. I agree with Matt and believe that have the source open to all makes fixing the holes much quicker. – Tim

I think I can relate to this…

Anyway, Matt also wrote an article on How to keep WordPress secure.

Critical IE vulnerability found, browser switch recommended

Critical Internet Explorer vulnerability found, browser switch is recommended.

Serious security flaw found in IE

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world’s computer users.

Said Mr Ferguson: “If users can find an alternative browser, then that’s good mitigation against the threat.”

But Microsoft counselled against taking such action.

“I cannot recommend people switch due to this one flaw,” said John Curran, head of Microsoft UK’s Windows group.

He added: “We’re trying to get this resolved as soon as possible.

“At present, this exploit only seems to affect 0.02% of internet sites,” said Mr Curran. (Source: BBC)

Browsing vigilantly is not something a normal user can do unless only use your web mail. The internet is filled with links all around. Even once in a while I ended up on phishing sites I try hard to avoid. It could be just an innocent advertisement.

Description:

A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to a use-after-free error when composed HTML elements are bound to the same data source. This can be exploited to dereference freed memory via a specially crafted HTML document.

Successful exploitation allows execution of arbitrary code.

NOTE: Reportedly, the vulnerability is currently being actively exploited.

The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3 and in Internet Explorer 6 on a fully patched Windows XP SP2, and reported in Internet Explorer 5.01 SP4. Other versions may also be affected. (Source: Secunia)

I would recommend a temporary switch to a competing browser.