However, the team added, simply applying this update might not remove any
back doors that attackers have managed to insert after they got access.
Sites should begin investigations to see if attackers had got away with
data, said the warning.
"Attackers may have copied all data out of your site and could use it
maliciously," said the notice. "There may be no trace of the attack." It
also provided a link to advice that would help sites recover from being
compromised.
Mark Stockley, an analyst at security firm Sophos, said the warning was
"shocking".
The bug in version 7 of the Drupal software put attackers in a privileged
position, he wrote. Their access could be used to take control of a server
or seed a site with malware to trap visitors, he said.
He estimated that up to 5.1% of the billion or so sites on the web use
Drupal 7 to manage their content, meaning the number of sites needing
patching could be as high as 12 million.
Drupal should no longer rely on users to apply patches, said Mr Stockley.
"Many site owners will never have received the announcement and many that
did will have been asleep," he said. "What Drupal badly needs but doesn't
have is an automatic updater that rolls out security updates by default."
http://www.bbc.com/news/technology-29846539
my motto is "Keep it simple" and "don't leave anything for tomorrow that can
be done today."
Regards Gerald Crawford
Stellenbosch South Africa
Cell: +27-0720390184 (mobile)
E-mail: gerald@webcraft.ws
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Comments