Submission + - WordPress download site cracked
JavaRob writes: From the WordPress development blog: "If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."
Fortunately, they got a tipoff, but it's not clear how long the altered download (the cracker altered a couple of files to add in remote execution capabilities) would have stayed up otherwise.
Note: the cracker did not sneak in code by posing as an OSS developer (the common FUD scare scenario...); they just managed to crack one of the site's servers, and altered the download directly.
Apparently, WordPress has taken steps to ensure it doesn't happen again. Personally, I'm wondering about ways browsers and/or operating systems might be improved to automate checksum validation for downloaded executables.
Fortunately, they got a tipoff, but it's not clear how long the altered download (the cracker altered a couple of files to add in remote execution capabilities) would have stayed up otherwise.
Note: the cracker did not sneak in code by posing as an OSS developer (the common FUD scare scenario...); they just managed to crack one of the site's servers, and altered the download directly.
Apparently, WordPress has taken steps to ensure it doesn't happen again. Personally, I'm wondering about ways browsers and/or operating systems might be improved to automate checksum validation for downloaded executables.
