SoylentNews is people
SoylentNews
More than 115,000 websites—many run by major universities, government organizations, and media companies—remained wide open to hacker takeovers because they hadn’t installed critical patches released 10 weeks ago, security researcher Troy Mursch said Monday. A separate researcher reported on Tuesday that many of the sites were already compromised and were being used to surreptitiously mine cryptocurrencies or push malware on unsuspecting visitors.
Infected pages included those belonging to the University of Southern California, Computer World’s Brazil site, and the Arkansas Judiciary’s Courts and Community Initiative, which were causing visitors’ computers to run resource-intensive code that mines cryptocurrency, Jérôme Segura, lead malware intelligence analyst at antivirus provider Malwarebytes, told Ars.
Segura said a Harvard University page that earlier was also infected with mining malware had since been defaced, presumably by a different party. Meanwhile, a Western Michigan University page that earlier was infected with code that pushed a malicious browser extension was later repaired. Segura reported his findings Tuesday and has indexed more than 900 infected sites here.
The lack of patching and the site takeovers that makes possible come after Drupal maintainers released an update in March that allowed hackers to remotely execute code of their choice. The severity of the vulnerability patched, combined with the ease in exploiting it, quickly earned the flaw the nickname Drupalgeddon2, a throwback to a similar 2014 Drupal vulnerability that came under mass exploit within hours of a patch being released. Drupal maintainers patched a separate code-execution vulnerability in April. The March and April vulnerability disclosures came with proof-of-concept exploits that provided a blueprint for malicious hackers to use. Almost immediately after the release of the April patch, the underlying vulnerability came under attack, but it so far has proven harder to successfully exploit.
(Score: 2, Insightful) by Anonymous Coward on Saturday June 09 2018, @12:15AM (3 children)
To update, or not to update, that is the question. This nasty vulnerability was introduced in an update. Updating right away left countless websites vulnerable. The fix is issued via another update. So those who were burned by the vulnerable update are supposed to trust the new update. This erodes confidence and results in many sites never updating and being exposed to old(er) vulnerabilities.
If I were to exploit this vulnerability the first thing I would do is update the version number of Drupal so it looks like the fix has been applied. But that's just me, right?
(Score: -1, Spam) by Anonymous Coward on Saturday June 09 2018, @12:24AM (1 child)
Impossible. Zackham couldn't believe what he was witnessing; it was like a scene from hell itself. A man was on top of a woman in an alleyway, beating and raping her whilst crying like a child. Zackham overheard the man scream that he was taking those actions because the woman had walked past him in a disrespectful manner. The courageous man, Zackham - whose heart was filled with justice - knew he had to stop this immediately. Thus, Zackham charged in.
Slam! Slam! Slam! Slam! Zackham's fists rained down on the woman's face and body. As time went on, the sound of the fists colliding with the woman's flesh became more and more like a crunching sound; this was due to the fact that her skull had been utterly broken. While the unenlightened would be startled by this, Zackham's fists embodied justice itself, so it came as no surprise that they could effortlessly sunder bones. Then, at long last, the woman's motion abandoned her wretched body, making her an inanimate object that was the very picture of silence. After that, there was cheering.
The other man, as well as several witnesses, cheered. The man Zackham had saved from the oppressor expressed his immense gratitude. In response, Zackham casually accepted the man's positive feelings, and then departed with great haste.
Yes, with great haste. After all, men the world over were being oppressed, so there was no time for The World Savior to waste...
(Score: 2, Funny) by realDonaldTrump on Saturday June 09 2018, @04:01AM
.....the Aristocrats.
(Score: 2) by darkfeline on Saturday June 09 2018, @10:24PM
No dichotomy here. Unless you have audited the specific version you are using and know that that particular version doesn't have any vulnerabilities, it's a 50/50 chance that your specific version is "clean" or it came after a "bad update". No, that's a lie, because any version of any software is more likely to contain a vulnerability than not; the vulnerability just hasn't been found yet.
It is always better to be updated than not. There is a slight caveat here; if the project has releases of varying stability (e.g. bugfixes versus feature releases), it could make sense to only take the stable releases. But you should always be updated.
Join the SDF Public Access UNIX System today!