The Scoop on SUPEE-6788: Magento’s Latest Security Patch

On October 27th, Magento released a security patch that addresses over ten potential security threats to the e-commerce platform. These security threats, including “remote code execution and information leak vulnerabilities,” are weaknesses throughout the platform that hackers can exploit for access to confidential consumer data. A particularly severe hazard found within the underlying Zend Framework would allow special requests to tamper with critical system files. Built on Zend’s open-source framework for developing web applications and services, Magento swiftly mitigated the risk with their latest security patch, SUPEE-6788. Magento warned users a series of automated attacks were possible and urged merchants to patch or upgrade their Magento platform.

SUPEE-6788, released on the cusp of the holiday shopping season, creates an untimely complication for e-commerce owners behind on their website maintenance. The patch itself resolves a number of security issues, but as store owners operating on older versions of Magento or who have done a fair amount of customization on the open-source platform are discovering, the installation is not as cut and dry as it would seem.

SUPEE-6788’s information page states,

“This patch bundle may possibly break backward compatibility with customizations or extensions.”Magento.com

This means bringing your website security up-to-date will likely be accompanied by a few additional challenges. E-Commerce stores running on older versions of Magento will likely experience broken features after installing the patch. Customization to the platform and 3rd-party extensions require special attention throughout the process too, as they are likely to be affected by the update.

In some cases, upgrading to the latest version of Magento, which comes pre-equipped with the latest security modifications, is a better solution. Upgrading can present similar complications though, and with the holiday shopping season already in full swing, your website can’t afford a single minute of downtime.

What Should You Do?

1. Discover Your Risk LevelFigure out which version of Magento you’re operating on. Then check how up-to-date your website is with previous security releases.MageReport.com provides quick, effortless insight into your current state of security. This scanner will look for previous security patch installations and suggest other preventative measures you can take to defend your store.

   

2. Determine Whether to Patch or UpgradeAfter you’ve determined which version your Magento installation is using and how high your risk level is, the next step is to decide whether you should install the security patches or move forward with a Magento upgrade. The choice will come down to a number of factors (urgency, being one of them) and it’s best to consult with a Magento developer before doing anything.A skilled Magento developer will not only be able to make recommendations on your course of action, but they can also help you identify which extensions and features your website has that will be affected. Documenting your extensions and potential issues prior to beginning will greatly aide the QA process afterwards.
3. Work in a Fresh Development EnvironmentWhether you’re patching, upgrading or updating a single line of CSS, you should always work in fresh development environment. Deploying code directly to your production environment is one of the biggest development sins you can make. The key advantage of working in a staging environment is that you have the freedom to evaluate and sort out any major kinks before your code goes live.Remember: Document any changes you make in the Magento admin on your development installation. These changes will need to be manually updated when the code is pushed to production.
4. QA, QA, QAAfter installing the patch or upgrading, thoroughly QA your website for issues with functionality. Test everything!According to Magentary, nearly 80% of 3rd-party extensions, especially those using custom variables and admin routing, will be affected by this patch. The patch requires custom blocks and variables created by extensions, such as {{var custom.example}}, be added to the allowed Blocks within the new System Blocks Permissions page. Custom blocks within your CMS pages and Transactional Emails will also need to be added to the allowed Blocks in order to display.

   (If you find that your extensions are still not working as expected, you should contact the extension developer for a SUPEE-6788 compatible upgrade.)

5. DeployAfter careful QA, it’s time to deploy the code to your production server. Deployment processes vary from team to team and have sparked many great developer debates. Whatever your particular process is, be sure to adhere to it. Also, don’t forget to migrate any changes you made within the database or Magento admin of your development site.After deploying, you should review your live install with as much scrutiny as you did the development environment. Test everything again.

For more information on patching or upgrading your Magento site, contact Fruition’s E-Commerce and development experts.