Do as I say, not as I do.
Security plaftorm vendor Comodo has 'fessed up to a digital break-in affecting 245,000 users – after it ignored line one in the first chapter of the "How to do Basic Security" book about timely patching of software. Despite the whole world (yup, us too) shouting about the latest zero-day bug in vBulletin forum software, Comodo …
Wednesday 2nd October 2019 08:10 GMT Alister
It's easy to point and laugh
However here's a couple of thoughts:
The reality is for any large organisation, that there will be a change management process which has to be followed, and that process can take some time.
There must be a risk management process, and setting up an agreed maintenance window, and notifying users that the forum will be offline.
It's not just a single bloke in his mum's basement, who can decide to do the upgrade when he wants.
Secondly, VBulletin is notoriously fickle, and if you have any customisations or add-ons then upgrading to the latest version can really screw things up. To do that without any testing would be fatal, and obviously testing takes time.
Given they had five days notice, I'm not surprised they hadn't yet patched it.
Wednesday 2nd October 2019 08:28 GMT Hans 1
Security plaftorm vendor Comodo has 'fessed up to a digital break-in affecting 245,000 users – after it ignored line one in the first chapter of the "How to do Basic Security" book about timely patching of software.
A lot seem to fail at that ... all the outdated, unpatched thus vulnerable tech still in operation across our industry ...
Wednesday 2nd October 2019 09:06 GMT Anonymous Coward
Moderator of a large ZA forum here. We were on vBulletin, but we migrated over to Xenforo.
When I read about the 0-day exploit, I was glad that we ditched vB for Xenforo. vB indeed is notoriously fickle to update and all that.
Now I'm wondering how many unpatched vB installs are still out there....
Wednesday 2nd October 2019 10:58 GMT NonSSL-Login
Layers of security
A lot of VBB installs that were vulnerable to this bug were not exploitable because of other server hardening techniques.
One would have thought a security company would have made sure their websites and customer facing servers were hardened being that a security breach affects their security related brand...