Drupal sites, assume you've been hacked

SQL injection bug threatens the websites of enterprises, governments, and many other institutions using the open source Drupal CMS

Security alert for incoming threats.
Credit: Thinkstock

Word broke yesterday of a major-league security issue involving Drupal, the open source content management system (CMS) used widely in enterprises and government. Come to think of it, "major league" doesn't begin to cover it: Drupal developers have admitted that if your installation wasn't patched before Oct. 15, 11 p.m. UTC, it's best to consider the entire site compromised.

How deep does the compromise run? Deep enough that simply upgrading to the latest version of Drupal won't help, and patching an affected website is only the first of many mitigation steps required.

Drupal has long been a staple of enterprise CMSes, powering sites as diverse as Whitehouse.gov and even InfoWorld.com itself at one point. Version 7, unveiled in 2011, was built with features designed specifically to appeal to enterprise users.

Attackers began making use of the vulnerability to launch automated SQL-injection attacks against websites within hours of its original disclosure, according to Web security research film Sucuri. The bug wasn't detected by Drupal's development team, but by an independent researcher referencing a bug that had been known since November of last year.

Acquia, the company that provides professional services, support, and hosting for Drupal, unveiled cloud-hosted versions of Drupal for business-grade deployments as another spur to adoption. The company began providing commercial support for Drupal back in 2008 and soon found around half of its customers were small businesses, with enterprises, public-sector outfits, nonprofits, and education forming the rest.

After the attack hit, the company claims it took proactive steps to protect customers running Drupal installations in its cloud -- the kind of protection the company touts as one of the advantages of using a hosted and managed installation of Drupal. According to Acquia, other commercial Drupal vendors (mainly Platform.sh and Pantheon) "all implemented different platform-wide protections for our respective customers, " with the three companies collaborating together on possible solutions. 

One major takeaway is the speed at which attackers were able to leverage information about the exploit as word of it emerged. It shows today's cyber criminals are well-prepared to take advantage of a known exploit, especially one that uses a widely understood delivery method such as a SQL injection.

InfoWorld's Roger Grimes expressed concern about the future of malware and the idea that "a vendor releases a patch and every possible machine is exploited before anyone even wakes up," as he put it in an email. "Does it eventually become a race between the vendor and malware writer for customer trust? ... Most bad guys don't want to exploit every computer immediately because all that does is ramp up the patching speed, and that's counterproductive to what they want."

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.