There's never a good time for an update
As always, Drupal Security Team did an excellent job and the news on the security vulnerabilities reported on Wednesday wasn't a bombshell for most of us. Everyone had a chance to prepare and pre-allocate resources to take all measures necessary to patch the supported websites.
A quick recap for those who missed the buzz or just slowly waking up right now.
July 12 - the Drupal Security Team released the public service announcement (PSA) with the details of the upcoming security releases for a bunch of contribs, including the exact time of the expected release (16:00 UTC).
July 12-13 (depending on your timezone) - the Drupal community took its time to prepare. Several blog posts emerged following the news, some even calling the upcoming release "a new Drupalgeddon" (although if you've read the PSA carefully, there is no mention of Drupal core and the estimated number of affected websites is up to 10k modules for each vulnerability).
July 13, 4 PM UTC - we've ended up with three advisories:
- RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040
- Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039
- Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038
While Webform Multiple File Upload has a small install base, and the RESTWS is not that popular either, the Coder module is something more interesting.
The vulnerability for Coder doesn't require it to be enabled, and what is even more intriguing - the module itself is not your typical module - it is used as a command line tool and in IDEs. So we've got no statistics on how popular it is in reality and how many production websites are affected. However, judging by the amount of issues reported for it (around 1300), we can easily tell it's the most popular one in this PSA.
The time problem
Let's get back on topic. The release time itself is not accidental at all. 4 PM UTC covers business hours for both Americas (up to UTC - 9 in Argentina, whole Europe and Africa regions, a huge part of the Central Russia and the Middle East (up to UTC + 4). Wise choice!
For many of us the release happened early morning, for the rest closer to the afternoon or late evening, but Drupal folks working from South, East and Southeast Asia, as well as Australia and South Pacific regions, had to spend their overtime hours to keep their websites in good health.
Besides, even those who were lucky to face the PSA during their business hours, didn't always feel comfortable about the time of the release. It could overlap with meetings, deadlines, sick days and other force majeure situations.
Another thing is - while this update was properly announced, there is a chance that the next one will not be so very comfortable, for example, a critical security patch released by the maintainer of the less popular module which is used widely in your projects.
The bottom line is - the conditions for your next security update will not always be ideal, and the timing will never be perfect. Stay awake and be alerted all the time, surround yourself with tools to help with the routine and establish a continuous update process for your company or website in order not be surprised about the next PSA or the compromised website.
The time will just never be perfect.
Drop Guard reaction
And finally, some good news from Drop Guard. All our users received their updates between 15 and 30 minutes after the announcement.
Those who configured the update behaviours following the recommended best practices (to commit Highly critical updates to the live site branch and deploy them immediately) had to perform post-deployment QA only. The rest got their update tasks created and ready for the immediate execution.
Was your website affected? How fast have you managed to apply a patch? Share your thoughts with us!