{"id":1329,"date":"2012-02-27T16:28:41","date_gmt":"2012-02-27T23:28:41","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=1329"},"modified":"2012-02-27T16:34:36","modified_gmt":"2012-02-27T23:34:36","slug":"we-warned-media-temple-about-the-need-to-keep-plesk-up-to-date-in-2010","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2012\/02\/27\/we-warned-media-temple-about-the-need-to-keep-plesk-up-to-date-in-2010\/","title":{"rendered":"We Warned Media Temple About The Need to Keep Plesk Up to Date in 2010"},"content":{"rendered":"

Ars Technica has been running a series of articles about the recent hack of several US Federal Trade Commission websites hosted at Media Temple. The latest reporting<\/a> indicates that “critical vulnerability in some versions of Parallels’ Plesk Panel control panel software appears to have been key to the recent penetration”. A patch for the vulnerability <\/a>was released in September, though the article mentions that Parallels didn\u2019t send email alerting customers to the critical nature of the vulnerability until February. Media Temple’s failure to keep Plesk up to date goes back years and we unsuccessfully tried to get them to address the issue back in July of 2010.<\/p>\n

Media Temple and Parallels are both part of the Hosting Security Forum<\/a>, which is supposed to “share critical security information in order to protect the integrity of a customer\u2019s data, their web presence, and online availability”. That organization\u2019s website is running an outdated version of WordPress, 3.2.1, which might be a good indication as to the group\u2019s level of dedication to security. Media Temple, as well as\u00a0Dreamhost<\/a> and other members of that organization, is also running outdated software on their website<\/a>.<\/p>\n

Warning Media Temple<\/h2>\n

Back in July 2010, during a period of hacks that were targeting Media Temple customers (but that Media Temple claimed was not due to their security failings), Media Temple\u00a0 made some long needed security improvements and asked for people to contact them if they were missing any security measures.<\/p>\n

While cleaning up a hacked website running on their Dedicated-Virtual service we noticed that Media Temple was using a nearly two year old version of Plesk, which also meant that the other software that comes with Plesk was also two years old. We contacted Media Temple alert them to the need to keep that and other software running on their systems up to date and at the time we hoped that they would quickly resolve the issue as they were publicly claiming to want to improve their security.<\/p>\n

Media Temple’s response was that there hadn\u2019t been a known vulnerability in Plesk since 2007 and therefore they were secure. We don\u2019t why they felt they didn\u2019t need to keep their up to date just because there had not been known vulnerabilities, but in any case it wasn\u2019t the whole truth. While the version of Plesk didn\u2019t have any known vulnerabilities other software that came with that version of Plesk did have known vulnerabilities. We specifically brought to their attention there were apparently security issues in at least the versions of ProFTPd, Ruby, and phpMyAdmin that came with it. We never received any response after we brought that up. Overall, their response seemed to be more focused on creating the impression that they cared about security then about actually making sure they and their customers were secure.<\/p>\n

During the email exchange they claimed they had recently put in place a policy that “requires us to patch any software with security flaws within 30 days of a patch being made available.\u00a0 For the most critical issues, such as a kernel exploit, we will patch immediately. ” We certainly would describe the vulnerability in Plesk as being a critical issue, but for some reason they didn\u2019t feel the need to apply the patch immediately or even in the 30 day window.<\/p>\n

Blame the Customer<\/h2>\n

When the issue of the hack was first surfacing<\/a> Media Temple was quick to blame their customer for the hack and criticize them for running outdated software. While it\u2019s true that many hacks are due to issues which the customer is responsible for and many of those are due to outdated software, it is irresponsible to claim that it was the customer\u2019s fault without actual evidence to support that, especially to do that publicly. For Media Temple\u2019s to do this is worse as during our email exchange they excused not keeping Plesk up to date on there not being known vulnerabilities, so they certainly should understand that just running outdated software doesn\u2019t mean that it is vulnerable. To be criticizing a customer for running outdated when they don\u2019t keep the software they are responsible for up to date makes the response appalling.<\/p>\n

Unfortunately, Media Temple\u2019s response to this incident isn\u2019t out of line with the usual response that customer\u2019 with hacking issues receive when contacting their web host about a hacking issue.<\/p>\n

Media Temple Runs Outdated Web Software<\/h2>\n

Based on the rest of Media Temple\u2019s actions it isn\u2019t surprising that they fail to keep software running on their website up to date (while criticizing others for doing the same).<\/p>\n

\"Media<\/a>Their blog is running WordPress 3.3. The latest version, 3.3.1, was release nearly two months ago and included a “fix for a cross-site scripting vulnerability that affected version 3.3<\/a>“.<\/p>\n

\"Media<\/a>The Media Temple Community Wiki is running a version of MediaWiki, 1.16.x, that hasn\u2019t been supported for nearly three months. They also failed to apply the last three updates, all of which included security fixes, for 1.16.x. The oldest update they failed to apply, 1.16.3, was release over ten months ago.<\/p>\n

You can get alerts for outdated web software, like the one the ones in the screenshots above, with Meta Generator Version Check extension<\/a> (available for Firefox<\/a> and Chrome<\/a>).<\/p>\n","protected":false},"excerpt":{"rendered":"

Ars Technica has been running a series of articles about the recent hack of several US Federal Trade Commission websites hosted at Media Temple. The latest reporting indicates that “critical vulnerability in some versions of Parallels’ Plesk Panel control panel software appears to have been key to the recent penetration”. A patch for the vulnerability … Continue reading “We Warned Media Temple About The Need to Keep Plesk Up to Date in 2010”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,15],"tags":[],"class_list":["post-1329","post","type-post","status-publish","format-standard","hentry","category-bad-security","category-website-security"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/1329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=1329"}],"version-history":[{"count":12,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/1329\/revisions"}],"predecessor-version":[{"id":1339,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/1329\/revisions\/1339"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=1329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=1329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=1329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}