Yesterday, October 15, Drupal 7.32 was released, addressing a critical security flaw in Drupal 7 core. This flaw was as critical as it gets: it allowed anyone to do almost anything on almost any Drupal 7 site. There were no known exploits running before yesterday, but by this morning automated scripts were peppering the internet with attacks meant for Drupal 7 sites. For more information on the security release, including how the issue was found and how it was addressed, please see the SA-05 FAQ by the Drupal security team.
Timeline of DNotes LLC response to SA-CORE-2014-005
| Time (PST) | Event |
|---|---|
| 15 Oct. 9:04am | SA-CORE-2014-005 released on drupal.org |
| 15 Oct. ca. 1:00pm | All 80+ sites hosted or managed by DNotes LLC patched and secure from SA-05 |
| 15 Oct. 1:35pm | Incubator beta 31 released including Drupal 7.32 |
| 15 Oct. 4:57pm | All 80+ sites hosted or managed by DNotes LLC on the Incubator distrubution updated |
Is your site secure?
If your site is hosted or managed by DNotes LLC then it should be secure. The security flaw identified in SA-CORE-2014-05 was patched within 4 hours of its release; within 8 hours your site was upgraded to Drupal 7.32, and today your administrative accounts were checked to ensure that the attacks seen this morning were not carried out on your sites.
If you host your own site using the Incubator platform maintained by DNotes then you should have either patched or updated your site yesterday in accordance with the instructions in SA-CORE-2014-005.
What if you did not update your Drupal 7 site yesterday on October 15?
(Note: edited October 17) I used to have some ideas here about how you might begin to re-secure your site if you did not get it updated or patched quickly, but the implications of this bug are really staggering. If your server is not configured right, an exploit like this could do almost anything. I can't think of any one-size-fits-all advice that could be given in this case.
How bad is this? How often does this sort of thing happen?
In 10 years working with Drupal, this is the most critical security flaw I have seen. A review of Drupal core security announcements indicates that for the last 5 years, such announcements are made approximately once each quarter on average, and they are generally either less critical in nature, e.g. allowing content to be seen by users who should not see it, or else mitigated by other factors, including necessities for an attacker to have an account, or for certain modules to be enabled, or for the site to be configured in certain ways. In fact, in my experience most Drupal security releases--even ones marked highly critical--have not been of a nature to affect any of the sites I maintain. SA-CORE-2014-005 is different. It is relatively easily exploitable by anyone across almost all Drupal 7 sites. It is Drupal's equivalent of the Heartbleed bug that affected half the Internet last April. I would be extremely surprised to see another announcement like this within the next 5 years.