Hosting Provider Automatically Fixes Vulnerabilities In Customers' Websites 73
An anonymous reader writes "Dutch hosting provider Antagonist announced their in-house developed technology that automatically detects and fixes vulnerabilities in their customers' websites. The service is aimed at popular software such as WordPress, Drupal and Joomla. 'As soon as a vulnerability is detected, we inform the customer. We also explain how the customer can resolve the issue. In case the customer does not respond to our first notice within the next two weeks, we automatically patch the vulnerability.' Antagonist plans to license the technology to other hosting providers as well."
Re:Why not fix it immediately? (Score:5, Interesting)
In two weeks it might be too late.
You're talking about customer data here. They may have some customizations in the code that break if you allow yourself to patch it.
I would take another approach: disable the vulnerable file until the customer fixes it. By fixing it for them you may generate expectations which you'll not be able to match in the long run: "don't worry about software updating, the hosting company will do it for us".
Re:Why not fix it immediately? (Score:4, Interesting)
It would have to detect that it can safely apply the patch. Also it could be opt in, of course.
Good idea, wrong solution (Score:2, Interesting)
Having dabbled with running shared hosting for 10+ years, there is a very clear business need for something like that.
The first line of defense for the web hosting company is to set security layers so that when a website gets hacked, only that account is compromised. Most respectable host can do that now.
But where does that leave you when a website gets compromised? Sure, the hack is contained to that account only, but still, script kiddies are running all kind of stuff on that account, and you have no other choices but suspend that account, and write an explanation letter to the customer.
And then what? The small business owner has no effing clue what the hell you are talking about and is furious that his website is down. You then proceed to explain that his site is hacked, and that nothing on it can be trusted no more. Does he have a clean backup? Of course not.. He contacts his buddy that set up the site 2 years ago. He has no clue of course. Blames the host for suspending the site of not being secure enough.. Buys some cheap hosting elsewhere and moves the site away from you.
This is a LOOSE LOOSE situation...
SO: I clearly see why they are being pro-active on this problem. There is a certain market segment of the shared hosting business that can benefit. That being said, I much, much prefer the mod_security approach, which works as a filter on the HTTP layer, to mitigate most script kiddies and automated hacks, which covers pretty much all the potential hacks these small websites can be targeted with and has much less potential side-effects.. Modifying customer data is a big no-no IMHO...