“WordPress is a very popular platform for attackers to target,” he said. “There’s not a whole lot WordPress can do if people neglect to update their WordPress or plug-in software.” Roel Schouwenberg, senior researcher for Kaspersky Lab
SC Magazine recently published a summary of the Kaspersky report identifying WordPress as the attack vector for intruders to establish infrastructure to spread the Flashback/Flashfake OSX Trojan. The article included quotes from Roel Schouwenberg, senior researcher for Kaspersky Lab.
Mr. Schouwenberg (@schouw), as seen in the above quote, held the WordPress developers effectively blameless for their product being used as the primary infection vector for a 600,000+ member botnet – about 2% of all Mac OS installations.
Don’t get me wrong, if you choose to host your own publicly facing service on the Internet (such as this one) you have an ethical duty to ensure that it is not being used for evil to the best of your abilities. This includes regular updates and patching.
Additionally, Internet users share responsibility in ensuring the security of their own machines to the best of their ability. This includes running effective Anti-Virus (yes, I’m talking to you OSX users) and patching software (such as Java Virtual Machine exploited by this trojan).
However, neither the operators of blogs (such as myself) or the end-users of computers (again, such as myself) cannot be expected to reverse engineer every piece of software or service that we execute to search for vulnerabilities and then patch those. That is the sole responsibility of the software developer. Therefore, they hold at least some of the blame.
Additionally, patching is almost always a losing security proposition. This is because the patch will almost always be in response to a known vulnerability. Which is why zero-day exploits are still so effective.
The answer is to write secure software in the beginning. I’m not saying that all software should be, or will be, free of vulnerabilities – I have written over 1,000,000 lines of code myself and I understand fully what it means to write secure code and the incredible, and maybe impossible, challenge that entails. But, we must begin to hold software developers more accountable for vulnerabilities rather than placing all the blame on the users. The developers are the only ones who can effectively preempt the attackers by preventing vulnerabilities in the first place and requiring a third-party plug-in architecture (such as in WordPress) to be secure as well (i.e. using sandboxes).
Microsoft has done a tremendous job in this endeavor. It hasn’t been easy but over the last 10 years they have made significant progress as shown by the reduced vulnerability and exposure surface of their software as well as third-party software running on their operating system. It can be, and should be, done.