From the
‘
Web Apps at Risk
‘
files:
Pligg, which is an open source attempt at a Digg-like social networking voting site application is being updated this week for some serious security vulnerabilities.
As opposed to many other vendors/projects which typically release an update alongside security advisories, that’s not the case with the new Pligg 1.0.3 release. The full security advisory isn’t coming out until tomorrow (Dec 2) giving Pligg users (and there are a whole lot of them) a running head start on potential attacks.
Security researchers from firms big and small have been saying for the
last few years that it is web applications that pose the greatest
security risk to users. That’s because an attacker only need take
advantage of one site to infect potentially thousands of the infected
site’s users.
“Shortly after the 1.0.2 release we were alerted to a vulnerability reported by Secunia and third party researcher Russ McRee,” the Pligg blog states.
I think fixing before advising is the right approach both for Pligg and quite frankly for all applications. It’s always a race between hackers and users whenever a patch comes out at the same time as an advisory.