Wikipedia dodges critical vulnerability that could have let attackers take over

The possibility of Wikipedia being taken over by attackers was just foiled by quick action on the part of Wikimedia Foundation, the nonprofit that operates Wikipedia, with the help of Check Point, the security firm that discovered the critical security hole in its code.

"It is conceivable that someone who discovered this vulnerability could have executed code that may have made it possible to access user data," says Wikimedia Foundation spokesman Jay Walsh. But it was Check Point researchers who discovered this vulnerability first in the MediaWiki project Web platform, which is open-source code used to create and maintain wiki websites.

Check Point says what its researchers uncovered was a remote-code execution flaw in MediaWiki 1.8 onwards where the attacker could potentially gain complete control of the vulnerable web server. A patch "was applied to the software within 45 minutes of discovery," says Walsh. WikiMedia has also released the patch today so others can apply it to the open-source code as well.

+ ALSO ON NETWORK WORLD Five tips from a CIO on dealing with massive DDoS attacks | Three security start-ups you should keep an eye on

This is only the third time since 2006 that a remote-code execution flaw had been identified in MediaWiki open-source code. If an attacker had discovered it first, then it would have been a "zero-day" vulnerability without a patch, says Patrick Wheeler, head of threat prevention product marketing at Check Point.

Check Point says if the vulnerability hadn't been discovered and fixed, an attacker could have been able to control the web server or any other wiki' site running on MediaWiki, and potentially inject and serve malware-infecting code to users visiting those sites.

This would have been a disaster to the millions of visitors to the site each month, and a blow to the respected open-source project that has helped foster the popular online Wikipedia encyclopedia.

Charles Henderson, director of application security services in Trustwave's SpiderLabs research division, says it's not that vulnerabilities are "necessarily better or worse" in open source as compared with closed source, proprietary code. The point is that open source code has become so widely used, including by business, any serious security issues in it that crop up can't be ignored.

Some open-source projects do a good job of managing security updates, says Henderson, while others seem more lax. But the openness of how code is developed and if necessary, patched, means that attackers can monitor open source development fairly easily, he says.

Sonatype CEO Wayne Jackson says the security of open-source code is getting more attention from those in the federal government, for example, who want to know more about how it gets developed. Jackson says there have been a string of security incidents associated with identified open-source vulnerabilities, such as last summer when a vulnerability in the Apache Struts web application framework was sold as an automated attack script in Chinese circles online. The Struts vulnerability was also tied to a cyber-intrusion into a Chicago-based trading exchange around that time, Jackson adds.

It's not unusual to find commercial software of one sort or another integrating open source. Jackson says one example is Sydney, Australia-based firm Atlassian which last summer publicly identified the Struts critical vulnerability in its software. He pointed out that Cisco also issued a security advisory last October related to Apache Struts remote-code execution vulnerability in its products.

It's often simple to identify sites built on open-source code such as Struts through a Google search, Jackson says.

Open-source code represents the modernization of software development, based on the idea of a "meritocracy" of achievement by software developers contributing into code they all share, Jackson says. But the downside is that "the ecosystem has treated open source like this huge sugar store, living off the sugar high of productivity."

One basic question about open-source is whether the organizations making use of it are even aware of it. "It's a fundamental problem," says Jackson. Sometimes it seems like the "bad guys are way more efficient than the good guys" in keeping track of open-source developments and usage.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylegalthreeWikimedia FoundationCIOanti-malwareWide Area Networkwikipediacybercrime

More about ApacheAtlassianCheck Point Software TechnologiesCiscoGoogleIDGTrustwaveWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place