A zero-day exploit was posted to PacketStorm a few days ago for WordPress 2.2. The vulnerability allows SQL code injection due to unchecked inputs in the xmlrpc.php file. A patched version of this file has been posted to TRAC, but no official update has yet been released. If you’re running a WordPress 2.2 powered blog, I’d highly suggest applying this fix immediately. It might not be a bad idea to take a look through your database as well. There was a discussion of this exploit and the related fix on the WordPress support site, but I’m surprised that 5 days later there has still been no official mention of this on the WordPress dashboard.

update: A release candidate of 2.2.1 has been posted which fixes the xmlrpc bug as well as a few others. Hopefully we’ll see an official release of 2.2.1 soon…

OCRegister blog: Gadgetress – post: Hacking Vista: Easier than you’d think

I thought I would post this for any of the non-techies that happen across my site. In case you’re thinking about upgrading to Windows Vista because it’s more secure, you might want to take a look at the video on the link above. The guys at eEye show just how easy it is to use the old trojan horse tactic to hack a computer running the latest OS from Redmond. In this case the attackers use an attack script disguised as a word document to take control of the target computer. I do have to wonder if UAC was enabled on the example target, but either way it shows what is still the largest vulnerability on any computer. It’s the human behind the keyboard. This is the critical piece of information that Tamara C. misses on her blog. That’s one security problem not easily fixed by software.

Microsoft says Linux, other programs violate patents

The Redmond spin machine is at it again, claiming that open source software such as Linux may infringe upon patents held by the company. I would consider this claim to be possible, but unlikely. Of course only time will tell, but I suspect that this is merely the latest attempt at scaring executives away from using open source products. To some extent I think this tactic is having an effect. I have talked with several CIOs and senior IT managers that have expressed concerns with using open source in the enterprise. However, I think most competent managers evaluate a software product on it’s merits more than marketing hype and corporate FUD. (the competency part, well, that’s a whole other story…)