Ok, if you use WordPress (I use it on several sites), you probably logged into the admin interface and saw the top banner saying “WordPress 2.8.6 is available! Please update now.”
For most of us in the IT space (and especially in the security space), upgrades for security issues are normally no-brainers. However, this is a key example that you need to understand the security risks and/or exploitable vulnerabilities and counter-balance that with you ability to upgrade.
Just becuase WordPress releases a “Security update” does not mean you should just mindlessly update your site. Like any IT security issue, read and understadn the issues before you make a determination.
In the case of the two security issues in the WordPress 2.8.6 release, here’s the layman’s terms:
Issue #1 – XSS (Cross-site Scripting) exploit/vuln/software bug in Press This that only manifests through untrusted author accounts. If you have a blog where you trust your authors, and their login credentials are not compromised, move on.
Issue #2 – Issue with naming file uploads on Apache web server. If you are not using Apache (i.e. IIS, etc.) you don’t care. If you are not allowed to upload files to any directory on your web server you don’t care.
So in other words, I will probably update my sites in due time, but since WordPress has released at least 4 updated versions in the last 30 days and I am not affected by the 2.8.6 issues, I can do this without a great sense of urgency.
