Magento will release a new security patch (SUPEE-6788) on Tuesday October 27, 2015. It is the sixth Magento security patch released this year. As we are preparing for its release, some Neoverve clients have been asking questions regarding the increase in security vulnerabilities over the past couple years and wondering how this security patch might impact their site.
Simply put, over the past 5 years, Magento has grown to become the most popular ecommerce application in the world. As such it has become a target to hackers. Unfortunately, that’s the environment we live in today. Both service providers like Neoverve and merchants alike must share the burden and adjust their operating budgets to accommodate for this necessary cost of doing business.
As part of your Neoverve Managed Services, Hosting & Support Plan, we include security monitoring and patch installation. This includes not only Magento, but the systems software required to run Magento (Operating system software – Linux, CentOS; Webserver software – Apache, Nginx; Databases – MySQL, Percona, Redis; Scripting software – PHP).
Fixing incompatable application code, customizations or third party extensions that break when installing security patches is a billable professional service we provide.
Usually our patching happens behind the scenes without any involvement from merchants or additional costs. Server system software patches rarely cause issues with sites. As an application however, Magento security patches have some potential to break customizations and extensions. Unfortunately, this particular patch changes admin routing code, which is commonly used in customizations and by extensions. It would be impossible for Magento to develop a patch that guarantees backward compatibility for the thousands of extensions available from third parties and the unlimited possible customizations developers create. Therefore, we expect this security patch to break sites.
Neoverve has already begun planning and preparing our developers and systems for the possibility of dealing with widespread issues caused by instilling this new security patch. Every Magento site we host will be copied to a development and testing server where we’ll install the patch and check for issues. If no issues are found, the patch will be installed on your live site. We’ll then contact you to confirm the proper functionality of your site.
However, you should be prepared for potential issues. Along with many common customizations, over 800 third party extensions have already been flagged as likely to break. We’ve been communicating with the leading extension developers since last week, inquiring as to their plans to release updated versions or patches for their impacted extensions and working to determine the most efficient ways of rectifying extension related issues. In addition, we are developing automated tools to fix common customizations as quickly and as cost effectively as possible for you.
For all sites that break, we’ll contact you with a cost estimate for additional work to be performed by Neoverve’s developers to fix whatever problems are identified. A timely approval by you for us to begin work will ensure your place in line for what could take weeks to complete for all of the Magento sites we host. We anticipate 2-4 billable hours for lightly customized sites with few installed extensions. Heavily customized sites or sites with many extensions installed could take 6-10 billable hours or more to secure and fix.
In certain cases, we believe we’ll be able to partially patch your live site while the broken customizations and extensions are being fixed on a development and testing server. Then we’ll go back and apply the complete patch and fixes to your live site. This should help keep sites as secure as possible while we work through issues and obtain updated extensions from the respective companies.
Thank you to all the security researchers, developers and merchants who together maintain Magento as the world’s best open source ecommerce platform! Neoverve is proud to be part of the Magento community and ecosystem.
For more information on SUPEE-6788 and other pertinent Magento security topics, check out these links: