By Greg Reedy, PHP/MySQL Developer at InteractOne

Ignoring Magento Security Patches and Upgrades May Save Some Cash Upfront but Could Cost You Big Time Down The Road.

Magento released two critical security patches this year for Magento 1: SUPEE-9652 and SUPEE-9767. The latter was just recently released May 31.

The first patch (SUPEE-9652) addresses Zend library vulnerabilities. Specifically, “the Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1.” The patch is scored as critical but to be affected, a merchant would have to use Sendmail as the mail transport agent or have specific, non-default configuration settings.

The new vulnerability has been found in a Zend Framework 1 and 2 email component used by all Magento 1 and Magento 2 software and other PHP solutions. This is a serious threat and can lead to remote code execution attacks if your server uses Sendmail as a mail transport agent. However, the attacker would need to target this vulnerability specifically by finding your store’s email “Set Return-Path” set to “Yes,” along with your server using Sendmail, at which point your store is vulnerable to this exploit.

The second patch recently released (SUPEE-9767) addresses an issue with form validations and attackers gaining access to the admin side of the site. Once access is obtained, attackers are disabling a configuration protection and uploading malicious code hidden in an image. Use of the AllowSymlinks option in Magento’s configuration settings can enable the upload of an image containing the malicious code. Although the option is normally turned off by default, an attacker can enable it once gaining admin access and upload infected images in multiple locations.

By ignoring or avoiding Magento Security Patches and updates, merchants are opening themselves up to a much larger problem.

We’ve encountered several merchants over the last year or so who have ignored security or bug patches and have severely delayed the upgrading of their Magento sites. Further, we often find that “discount developers” who have previously worked on said sites have broken the “Golden Rule” of Magento development: Never customize or alter the core code outside of official Magento patches and upgrades!

Core edits not only weaken the overall fallback built into Magento, but can cause patches and upgrades to be ineffective if these alterations occur in a way that circumvents the fallback as well.

The sad part is that these issues can be easily fixed if they were handled in a timely manner instead of “waiting it out” until the next redesign or other major site updates. By ignoring Magento Security Patches or avoiding updates, merchants are opening themselves up to the much larger problem of legal indemnification since many maintain publicly that they are PCI compliant while leaving gaping security holes in their site’s infrastructure.

Did You Know That 90% of breaches impact small businesses?

According to a FirstData analysis on the costs of a data breach, merchants can expect to deal with a lot of unexpected costs and paperwork.

“When a breach of payment data is reported (or even suspected), it kicks off a series of unavoidable and costly actions that range from forensic analysis of the merchant’s payment system to mandatory reporting requirements.”

The analysis continues, to address the massive expenses that can incur.

“If your business is unfortunate enough to have this happen, you can expect to incur significant expenses. For example, the cost of a data breach for a small business merchant averages $36,000 and can reach or exceed $50,000.”

This, of course, is in addition to the publicity mess and potential loss of business from nervous consumers. The study found that 90% of breaches impact small businesses, reporting that as much as 31% of customers terminated their relationship with the targeted business after a breach was discovered.

Another recent report by Computer Business Review found that attackers were using “tried and tested methods. Leading a resurgence of ‘classic’ attack vectors [such as] adware and email spam… at levels not seen since 2010.” Spam was found to account for 65% of email, with 8-10% identified as malicious.

Do we need to go back and review SUPEE-9652? It covers email vulnerability. Although perhaps rare for some merchants, the Computer Business Review report indicates the severity of email spam.

It’s simple, invest now in Maintenance and Support so you don’t have to take out a loan down the road to recover from a major data breach or hack.

The common reason why merchants avoid regular site maintenance and support is due to up-front costs. The concern is that site maintenance could run hundreds or even thousands of dollars with little perceived return. The irony is that regular site maintenance often makes the experience better for customers and administrators alike as bugs are fixed and improvements are made. Plus, merchants are obviously saving much more money in the long run as they’ve done all they can to assure their website is secure and truly compliant with eCommerce laws.

Applying security patches is often very quick, especially when a site is up-to-date and properly maintained. Notably, version upgrades will include multiple patches, so it’s usually best to upgrade to the latest versions as they are released regardless if a previous patch has already been installed. This ensures that all applicable patches and bug fixes have been included and the system is hardened against attacks.

So, Ignoring Magento Security Patches and putting off upgrades is just never a good idea. Save yourself time and Tylenol and stay on top of your site’s maintenance and support.

Need a Magento Security Patch or an upgrade? Contact us to see how we can get you patched up.