Running Drupal? You need to patch, patch, patch right now!
Anyone running a website built with Drupal should stop whatever they are doing right now and install critical security patches.
The company has put out an urgent security patch and warned Wednesday that it has discovered a remote code execution vulnerability in “multiple subsystems” of its content management system software.
The holes could allow hackers to attack a Drupal website in a number of different ways and that “could result in the site being completely compromised.” In other words, it’s really bad.
A hacker will be able to hack your site from any webpage, the company warned, and it doesn’t require them to login or have any privileges, meaning that a completely anonymous user can take over your site as well as access, delete and change non-public data.
There is currently no attack code but Drupal has warned it could be a mere matter of hours before some is developed. Which means one thing: patch. And do it now.
So what’s the problem?
The flaws – compiled in CVE-2018-7600 – are in the software’s core and affect versions 6, 7 and 8 of its content management software.
The company is so concerned that malicious actors will be able to develop attack code fast that it took the rare step of informing website administrators last week so they could schedule downtime.
BDSM sex rocks Drupal world: Top dev banished for sci-fi hanky-panky
Drupal has also produced patches for older versions of its latest software – 8.3 and 8.4 as well as the most current 8.5 version – to ensure that websites can be updated as soon as possible, rather than require an overall update.
A 7.x patch is also available, but if you are still running version 6.x, you may have a big headache on your hands – Drupal has not put out a patch.
“The Drupal Security Team urges you to reserve time for core updates because exploits might be developed within hours or days,” it warned last week.
While the approach of giving website administrators a heads-up – including a window of 18:00 – 19:30 UTC – was good in theory, it backfired somewhat on Wednesday when the huge focus on attention ended up overwhelming the company’s servers, making it harder for it to publish the actual patches.
Warning people in advance: a good idea in theory
As administrators waited patiently – and impatiently – for the patches to drop, an impromptu series of conversations started up on mailing lists and on social media. A game of internet hangman popped up. Memes erupted.
It may be worth noting that while a critical vulnerability in one of the world’s most popular content management system is not a good thing, it can have interesting side-effects: such as when the website of law firm Mossack Fonseca was hacked and ransacked, providing the extraordinary information that led to the so-called Panama Papers – all because it failed to update Drupal and so patch a critical vulnerability.
The Panama Papers revealed a vast global conspiracy to hide money in overseas bank accounts and resulted in unprecedented promises to cut down on tax evasion.
We’ll have to wait and see if anything similar emerges from this security scramble. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/28/running_drupal_you_need_to_patch_patch_patch_right_now/