On Friday, Oct 10th, the Drupal Security Team notified the community to be on the lookout for a security release the following Wednesday. While that was already the standard monthly “window” for a potential security release, the team had never given this kind of additional warning before. We took it as a hint that this security release was going to be a big one.
And it was. While, nearly all vulnerabilities that are found with Drupal (and contributed modules) can only be exploited by an administrator (or someone who tricks an administrator into giving them access), this vulnerability (officially known as Drupal SA 2014-005) was the first one in Drupal’s fourteen year history that could be exploited by an anonymous attacker to gain full access to Drupal and, depending on how your hosting is configured, possibly full access to the entire server.
While our Drupal Maintenance Plan with Advomatic gives a one week turnaround time for installing security updates, we scheduled the team to start work the minute that the vulnerability was publicly announced. Production sites were patched within hours.*
As expected, exploits were found in the wild about twenty four hours after the public announcement. This exploit has been known as Drupageddon. It’s estimated that hundreds of thousands of Drupal sites have been compromised since.
If you have Drupal Maintenance Plan with Advomatic, you’ve dodged a bullet.
Additionally we’d like to congratulate the Drupal Security Team on a very professional and responsible job of dealing with this vulnerability. The hallmark of a secure platform is defined by both the number of serious vulnerabilities and how they are addressed when discovered.
If you do not have a maintenance plan and did not update, your site is most likely already compromised. Go here to learn what to do next.
* For some clients we patched this specific vulnerability immediately (one line of code), but waited to deploy the rest of Drupal 7.32 until it was approved on the development server.