Every six months IBM's x-Force security team releases a report about what software has had what vulnerabilities. Joomla! usually ranks pretty high, not because of vulnerabilities in the core, but because there are thousands of third party extensions (some not actively developed since Joomla! 1.0.1) that exist out in the world. Every six months I explain to the folks at IBM that the Joomla! Project isn't the vendor for third party extensions. They listen, but they don't change.
The new report is out, and as usual it's both interesting and frustrating. When reading it, keep in mind that IBM doesn't evaluate the reports for accuracy at all, they just count any reports that come from anywhere mildly authoritative (even a security account in Twitter has an entry). They use the same sources we all do to monitor security reports. They do a pretty good (but not perfect) job of merging duplicates. The big deal in the new report is that it claims that 80% of Joomla vulnerabilities are unpatched. How they decide that something is patched is not described in their report.
Of course, all vulnerabilities in the Joomla core are patched and openly discussed in the Joomla security center and release notes. We think that is best practice for maintaining a high level of security in the core. But what about all of those other issues? So, having gone a few rounds on this, I know I'm not likely to convince them that these are mainly not Joomla vlunerabilities, this lovely Sunday morning I spent about five hours going through all of the Joomla reports in their database from the last six months.
Before I describe what I found, I want to give the key thing I learned: If you are an extension developer who fixes a vulnerability it is really important that you go back to the security sites and have them update the reports to show them as resolved. Messages like "80% of Joomla vulnerabilities are unpatched" harm not just your extension, they harm the reputation of the core product that so many people depend on for their livelihoods and they harm the reputations of all extension developers. We've all built this brand, and we should all protect it. Follow up, and make sure you put security fixes in your release notes or change logs too. I won't tell you how many third party extension sites I went to this morning where I could not tell if a vulnerabilty had been fixed or not, but it was a lot. Let your current and potential customers know that you take security seriously.
What I did was to go through each Joomla report from the last six months (about 80 altogether includind about 19 "patched" ones) and attempted to visit the site of the extension involved. What I found was interesting. First, there were were four reports that in the x-Force's own records were already marked as false but were still being listed as unresolved vulnerabilities. There were 15 "unpatched" reports that I could easily find had been patched.
So, those three groups account for about half of the reports. What about the rest? By far the most common status for the unpatched is "no longer developed." Some of the unpatched reports are for extensions that have not been updated since before Joomla 1.0, meaning that they were actually Mambo extensions. If you are using an extension that has not been updated since 2005, I am going to suggest that you find a new extension, no matter how much you love it. Either that, or become the maintainer and update it yourself.
The next biggest group were extensions that are in alpha, beta or RC. That is, they should not be used on production sites. I hope that all of those developers pay attention to these reports and resolve them, but they don't make me feel at all that production Joomla sites have a lot of vulnerabilities.
Finally there were a number of reports for actively developed stable extensions. Some of these may be resolved, some may not be. These are the sites where it was difficult to tell what the most recent updates included in terms of security. Most of them are pretty recent reports. I used contact forms on a lot of the sites to alert the developers to the reports.
Writing on behalf of "the vendor" I sent IBM x-Force an e-mail asking them to change the statuses of most of the open reports to something more appropriate. But what would really be better is for the actual vendors to update their information. You can search their database (bottom half of the page) to see if your extension is mentioned.
By the way, think about the fact that with over 3200 extensions in the JED and thousands more for 1.0.x only or not in the JED for other reasons, there are only this many security reports for extensions. Something else, too. In the Joomla extension I use to manage PDFs, if I say you have to be registered to read it, you really do have to be registered to read it. I think we're seeing solid, steady improvement in adoption of good security practices in the third party development community, and I that is really contributing to the incredible growth and strength of the Joomla project.
