Reuters blog platform may still be out of date despite hack
News service Reuters appears to still be running the same outdated version of WordPress that allowed its blogging platform to be compromised by attackers last week.
Attackers published fake blog posts on Friday, including a purported interview with the leader of the Free Syrian Army. Mark Jaquith, one of the lead developers behind WordPress, told The Wall Street Journal that Reuters had been running version 3.1.1 instead of the latest version, 3.4.1. There are at least 20 reported vulnerabilities in version 3.1.1.
While blogs.reuters.com was taken offline shortly after the attack, the site is again operational. But it may be still running a vulnerable version. Following a tweet Tuesday by security blogger Brian Krebs, SCMagazine.com analyzed the HTML source code on the Reuters blog site and found a line in the header section indicating the page was generated using WordPress version 3.1.1.