Help & Resource Center

Magento Security Patch & Malware Alert - October 2015

November 2, 2015 @ 9 am CST

All websites running Magento Community and Enterprise Editions have successfully been patched.

Please submit a Support Request if you have any further questions about SUPEE-6788.  Thank you.

 

October 27, 2015 @ 5 pm CST

Ok, Magento Security Patch SUPEE-6788 was officially released today and it is a big one!  Here are the security problems addressed in this patch:

  • Cross-site Scripting/Cache Poisoning - APPSEC-1030
    • Severity = 9.3 (Critical)
  • Error Reporting in Setup Exposes Configuration - APPSEC-1102
    • Severity = 7.5 (High)
  • Filter Directives Can Allow Access to Protected Data - APPSEC-1057
    • Severity = 7.5 (High)
  • XXE/XEE attack on Zend XML functionality using multibyte payloads - APPSEC-1045
    • Severity = 7.5 (High)
  • Potential SQL Injection in Magento Core Model Based Classes - APPSEC-1063
    • Severity = 7.4 (High)
  • Potential remote code execution using Cron - APPSEC-1037
    • Severity = 7.2 (High)
  • Remote Code Execution/Information Leak Using File Custom Option - APPSEC-1079
    • Severity = 6.5 (Medium)
  • Cross site scripting with error messages - APPSEC-1039
    • Severity = 6.1 (Medium)
  • Potential remote code execution using error reports and downloadable products - APPSEC-1032
    • Severity = 6.1 (Medium)
  • Admin Path Disclosure - APPSEC-1034
    • Severity = 5.3 (Medium)
  • Insufficient Protection of Password Reset Process - APPSEC-1027
    • Severity = 3.8 (Low)
  • Dev Folder Not Protected - APPSEC-1124
    • Severity = 0.0 (None)

We realize the above is cryptic and understanding each vulnerability would be very difficult.  However, the above does illustrate the number of security-related vulnerabilities and the criticality of each. If you are interested in learning more about these vulnerabilities, please visit Magento's website:

As previously noted, Magento Security Patch SUPEE-6788 breaks a lot of 3rd party extensions.  The following spreadsheet details the Magento extensions that will be broken by applying SUPEE-6788:

Modern Retail takes security very seriously, and we're working around the clock to apply Magento Security Patch SUPEE-6788 as soon as possible and get all affected extensions upgraded or patched as well.  We'll continue to update you through Modern Retail's Support Request system.  Please reply to the ticket if you have any questions regarding this patch or the status of it being applied to your website.  Thank you.

 

October 26, 2015 @ 5 pm CST

Magento will officially be making the patch available tomorrow, Tuesday, October 27th.  We have tested the previous patch on several development websites and will be installing this new patch on several others.  We'll update you when we know more.

Below is the official security announcement from Magento.

 

October 22, 2015 @ 9 pm CST

A point of clarification - Modern Retail is installing and testing this patch now on three different websites in our test environment.  This is being done to see how the current patch affects the extensions that are installed on these sites.  Depending on the outcome of our testing, we may apply the patch to our production websites.

 

October 21, 2015 @ 9 pm CST

Tonight we received the following notice from Magento regarding security patch SUPEE-6788.  Magento has decided to postpone the release until early next week. Here's the full announcement from Magento.

Attached below is SUPEE-6788-Technical-Details.pdf, which describes in detail how this patch breaks backward compatibility.

 

October 21, 2015 @ 9 am CST

We received a copy of the updated patch and have installed it in our test environment.  Unfortunately, the update is breaking a lot of 3rd party extensions.  We're testing the most frequently used extensions now and may even have to create separate instances of certain client websites to vet any possible problems or issues.

More information will be posted here as we know more, and we'll be contacting each Magento customer separately regarding the status of this patch.  Thank you.

 

October 20, 2015

Tonight we received the following notice from Magento regarding two security updates:

We have two security updates to share with you today: information about a malware issue impacting some Magento sites and an unrelated security patch release planned for Wednesday, October 21, 2015.

Magento has asked us not to share any other information with you until the patches are officially released tomorrow.  Please hang tight, more information coming soon.