New security challenges arise
Submitted by Igor Kandyba
on Wednesday, 28. December, 2016 - 13:00.
Two days ago another highly critical security update affected Drupal and many other CMS systems. It was the PHPMailer Library which leaves millions of websites vulnerable to the remote exploit (see https://www.drupal.org/psa-2016-004 for details). In comparison to Drupalgeddon which had a risk of 25/25 this update has 23/25. BUT there are some things which make this update even riskier than Drupalgeddon:
• The vulnerability doesn't affect a Drupal module; it has an impact on a 3rd party library. It means the update will not be shown in the Drupal update manager. Thanks to the Drupal security team it was announced on Drupal.org so that you might get the message via social media, your favourite newsletter or Twitter. But what if you don't follow the social media and RSS feeds? You will definitely miss it!
• The update was released in a time when most businesses are closed because of holidays. A highly critical update is recommended to be applied in 4-8 hours after the publication.
• This security update does not only affect Drupal sites but also other CMS systems such as WordPress (see here) and other CMSs that use this library to send emails.
If you want to be secure in the future, it becomes apparent with this latest security update that it is not enough to just monitor and update your Drupal modules, core and themes regularly. You need to monitor security updates for all dependencies that you use to build your software. If it's based on open source libraries (and you should do this in order to not reinvent the wheel), using a package manager such as Composer, NPM etc. is recommended. A package manager helps you to keep track of all libraries you and your team uses. It is also the base for a proper monitoring and update automation to care less about security critical updates, whenever and where ever they arise.