Magento is out with two critical security updates; MALWARE and SECURITY PATCH issues that will have some impact on the extensions. Let’s have a look at the updates and how they affect the code.
Magento team investigated few of the Magento websites that were targeted by Guruincsite malware. No new attack vector was identifiable this time but they found that most of the websites were at risk of code execution issue. The websites that are not at the risk of code execution issue seems to reflect some other unpatched issues.
This malware takes advantage of the admin accounts that has weak passwords, phishing, or any other unpatched vulnerability that allows administrative access. So it is important to check for fake user accounts and leftover demo accounts. These updates haven’t influenced any other Enterprise except a couple of recognized Magento Enterprise Edition traders. Magento Security and Support teams are effectively working with the influenced vendors to address the issues.
Magento team has updated complete instructions to the Magento Community websites so that developers can identify and fix the issues as quickly as possible. The team will continue to drive awareness across Magento ecosystem by considering the importance of taking the safety measures and implementing hard security measures.
Magento released a new security patch (SUPEE-6788), Community Edition 220.127.116.11, and Enterprise Edition 18.104.22.168 to target the vulnerabilities which are not related to the malware issues. The patch (SUPEE-6788) targets more than 10 issues of security recognized through inclusive security programs, including remote code execution and data spill vulnerabilities. There are no affirmed reports of assaults associated with the issues till date; however it is vital for merchants to install the patches, keeping in mind the end goal that is to secure their stores.
The patch (SUPEE-6788) halts the backward compatibility affecting the extensions and customizations. You can find all the required information on the variations that can influence your code. Before starting with adjustments, make sure to go through the documents properly and test your extensions.
For more information, you can visit Magento Security Center.
Patches are available for Magento Enterprise Edition 1.7 and later releases and Magento Community Edition 1.4 and later releases. Merchants can also upgrade to Magento Enterprise Edition 22.214.171.124 or Community Edition 126.96.36.199.
DOWNLOADING THE SECURITY PATCH
Before implementing the latest security patch (SUPEE-6788), make sure to install all the previous security patches which will ensure proper working of the latest patch. You can download the patch by following ways:
– Partners: Visit Partner Portal, choose Technical Resources and then choose Download from the Enterprise Edition. Next, explore Magento Enterprise Edition > Patches and Support and search for the folder “Security Patches – October 2015.”
– Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and afterward explore to Magento Enterprise Edition > Support Patches. Search for the folder titled “Security Patches – October 2015.” Merchants can also upgrade to Enterprise Edition 188.8.131.52 and receive the security update as part of the core code.
– Community Edition Merchants: You can find earlier versions of patches of Community Edition on the Community Edition download page (search for SUPEE-6788). Merchants can upgrade to Community Edition 184.108.40.206 and receive the security update as part of the core code.
URL to download the SUPEE-6482: https://magento.com/security/patches/supee-6482
Need Help in Installing Security Patches?
In case you counter any issues while installing the patches or need help installing them, contact us. Our Expert Magento experts can install these patches for you in no time!