Be Prepared for Drupal Contrib Security Updates

Tue, 12/07/2016 - 19:33 -- James Oakley

The Drupal Security team has just released a public security announcement, PSA 2016-001.

There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25).

If you run any Drupal sites, please be prepared, and be ready to update your site as soon as this is released.

Why do I say that?

I've only once before known the Drupal security team announce vulnerability-fixing updates before the actual release. This is about risk management. By pre-announcing, you put would-be hackers on stand-by to watch for the update releases, and figure out the exploits. By announcing in advance, they therefore reduce the time it will take before the patched vulnerabilities are being exploited in the wild. It's therefore generally not a good idea.

One thing overrides that. If a vulnerability is both serious enough and easy enough to exploit, hackers would be all over it like a rash anyway. As soon as the updates are released, it will take them very little time to work out how to exploit them, and the damage done would be significant. In those cases, the most critical thing is that site administrators patch as fast as possible, faster than the hackers can write malicious scripts. By putting site admins on alert, yes the hackers get notice too (but they were going to work fast regardless), so it's worth it if sites are patched faster.

So be prepared!

Oh, the one time I've known this from before? That was SA-CORE-2014-005, which acquired the nickname "Drupalgeddon". That hit both technology and mainstream news outlets, and is still being actively exploited 18 months later. It was so serious that the security advisory was followed up with a public service advisory that said

"You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."

7 hours. Arguably that was more serious than tomorrow's looks to be. It's risk score was the full 25/25. It also involved Drupal core, which means every single Drupal site is vulnerable, whereas tomorrow's concerns (as yet unannounced) contributed modules (so only sites using those modules will be vulnerable). Still, we must assume that they are commonly used modules, and therefore your site and mine needs patching, and fast.

So, be ready!

Blog Category: 

Add new comment

Additional Terms