With the Drupal Security team's release of a public service announcement, the infamous security update known as 'SA-005' is back in the news. Even though it's old news, we've been fielding a new round of questions, so we thought we'd try to clear up some of the confusion.
The 7.32 core update was released at 3am Sydney time on October 16 - about two weeks ago. And anyone paying attention knew it was coming.
On October 10 the security team announced that there would be a release on October 15. This in itself was notable, as typically they announce a 'release window' for a possible security release. This time, we knew for certain there would be a release, which meant we'd better start planning.
We always move quickly to apply security updates, but most times, the vulnerabilities are 'admin only'. This means the exploit requires elevated permissions, so careful management of users and permissions puts sites at less risk to start with. It's still a risk, so we apply the updates in a timely manner, but these are not considered critical.
This update seemed different. We received several ominous warnings from hosting providers including Pantheon and Acquia indicating the update should be applied as soon as humanly possible. It had to be the dreaded 'anonymous' kind of vulnerability, which means that it could be exploited by anyone who has access to your site.
We are responsible for updating more than 30 sites, in addition to other sites where we provide support for internal teams who do their own updates. So what did we do? We made a spreadsheet, of course!
We put together a list of every site we had to update, and assigned a developer to each one. Given the severity of the warnings, we knew we had to be ahead of things, which in our time zone meant a very early morning.
The patching started at 4:30am Sydney time. We had the update deployed to production for every site that we manage by 7am. And we could breathe easy knowing that we had beat the attackers - who later posted detailed information on how to execute an attack. (The update was carefully written so that it was not immediately obvious how to exploit the issue.)
So back to the PSA. There are thousands of Drupal sites out there that weren't patched quickly, or haven't been patched yet. If you have a site in one of those categories, the PSA provides recommendations on what to do now. If your site was vulnerable for more than 7 hours after the patch was released, you may be exposed even if you updated in the meantime.
Making headlines is exactly what the PSA was intended to do. Rather than trying to bury this issue, the Drupal community wants to ensure that it gets maximum exposure, to increase the level of compliance.
So, yes, this is an incredibly serious vulnerability that requires immediate attention, if you haven't already addressed it. If you don't know what to do, check out this FAQ page from the security team. If you have been compromised and need help, check out the documentation on Drupal.org.
Downplaying the severity of security issues might make some people feel better. But it also might mean people are less likely to take action. And it certainly won't obscure them from those who would exploit them.
If you are wondering what to take away from this, consider that all software will at some point be found to have a security issue. It's how these issues are handled that you should focus on.
