So I’m a regular reader, and contributor, to the MacFixit forums, technical computer troubleshooting forums for Mac users that are part of the larger MacFixIt Web site.
MacFixIt is a very large, highly active Macintosh troubleshooting site. It offers articles, advice, commentary, and tips for all things Macintosh. Among other things, it announces new Apple security updates, and recommends that users keep on top of security patches. Good advice, right?
The forums at MacFixIt run on Web forum software called UBB.threads. To be specific, they run on UBB.threads version 6.0.2, released in 2002.
Now, let’s think about that for a second.
A large, busy Web site–a Web site dedicated to, among other things, information about computer security updates–is running forum software it has not updated since 2002. I bet some folks will already be able to tell where this story is going.
Yesterday, I logged on to the forums to discover that the forum topics and message board lists had been replaced with long lists of racial epithets. A quick Google search turned up a security advisory dating back to 2005, or three years ago, reporting that versions of UBB.threads prior to 6.5.2 had a really, really big number of really, really serious security problems, including cross-site scripting vulnerabilities, SQL injection vulnerabilities1, and parameter inclusion vulnerabilities.
Turns out versions prior to 6.5.3 also have a posting vulnerability that can yield up complete control of the Web server to a malicious user.
Now, these are just the vulnerabilities that have been known and documented, and reported by UBB.threads itself, in the last three years. Even more recent versions still have some pretty significant vulnerabilities.
The current version, just for the record, is 7.2.
So I fired off an email to the administrator of the MacFixit forums, and for the last day and a half the forums have been “down for maintenance.”
Egg, meet face. How in the name of God, in this day and age, does anyone who runs any kind of sophisticated server software on the Internet not keep on top of security updates? For six years?
1 And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.
Including you, Microsoft.