SQL injection bug threatens the websites of enterprises, governments, and many other institutions using the open source Drupal CMS
Word broke yesterday of a major-league security issue
involving Drupal, the open source content management system (CMS) used
widely in enterprises and government. Come to think of it, "major
league" doesn't begin to cover it: Drupal developers have admitted that if your installation wasn't patched before Oct. 15, 11 p.m. UTC, it's best to consider the entire site compromised.
How deep does the compromise run? Deep enough that simply upgrading to the latest version of Drupal won't help, and patching an affected website is only the first of many mitigation steps required.
Drupal
has long been a staple of enterprise CMSes, powering sites as diverse
as Whitehouse.gov and even InfoWorld.com itself at one point. Version 7,
unveiled in 2011, was built with features designed specifically to appeal to enterprise users.
Attackers
began making use of the vulnerability to launch automated SQL-injection
attacks against websites within hours of its original disclosure, according to Web security research film Sucuri. The bug wasn't detected by Drupal's development team, but by an independent researcher referencing a bug that had been known since November of last year.
Acquia, the company that provides professional services, support, and hosting for Drupal, unveiled cloud-hosted versions
of Drupal for business-grade deployments as another spur to adoption.
The company began providing commercial support for Drupal back in 2008 and soon found
around half of its customers were small businesses, with enterprises,
public-sector outfits, nonprofits, and education forming the rest.
After the attack hit, the company claims it took proactive steps
to protect customers running Drupal installations in its cloud -- the
kind of protection the company touts as one of the advantages of using a
hosted and managed installation of Drupal. According to Acquia, other
commercial Drupal vendors (mainly Platform.sh and Pantheon) "all
implemented different platform-wide protections for our respective
customers, " with the three companies collaborating together on possible
solutions.
One major takeaway is the speed at which attackers
were able to leverage information about the exploit as word of it
emerged. It shows today's cyber criminals are well-prepared to take
advantage of a known exploit, especially one that uses a widely
understood delivery method such as a SQL injection.
InfoWorld's
Roger Grimes expressed concern about the future of malware and the idea
that "a vendor releases a patch and every possible machine is exploited
before anyone even wakes up," as he put it in an email. "Does it
eventually become a race between the vendor and malware writer for
customer trust? ... Most bad guys don't want to exploit every computer
immediately because all that does is ramp up the patching speed, and
that's counterproductive to what they want."
Source: http://www.infoworld.com
No comments:
Post a Comment