# The Scoop on SUPEE-6788: Magento’s Latest Security Patch
On October 27th, Magento released a security patch that addresses over ten potential security threats to the e-commerce platform. These security threats, including "remote code execution and information leak vulnerabilities," are weaknesses throughout the platform that hackers can exploit for access to confidential consumer data. A particularly severe hazard found within the underlying Zend Framework would allow special requests to tamper with critical system files. Built on Zend's open-source framework for developing web applications and services, Magento swiftly mitigated the risk with their latest security patch, SUPEE-6788. Magento warned users a series of automated attacks were possible and urged merchants to patch or upgrade their Magento platform. SUPEE-6788, released on the cusp of the holiday shopping season, creates an untimely complication for e-commerce owners behind on their website maintenance. The patch itself resolves a number of security issues, but as store owners operating on older versions of Magento or who have done a fair amount of customization on the open-source platform are discovering, the installation is not as cut and dry as it would seem. SUPEE-6788's information page states,


>"This patch bundle may possibly break backward compatibility with customizations or extensions."Magento.com"This patch bundle may possibly break backward compatibility with customizations or extensions."Magento.com


This means bringing your website security up-to-date will likely be accompanied by a few additional challenges. E-Commerce stores running on older versions of Magento will likely experience broken features after installing the patch. Customization to the platform and 3rd-party extensions require special attention throughout the process too, as they are likely to be affected by the update. In some cases, upgrading to the latest version of Magento, which comes pre-equipped with the latest security modifications, is a better solution. Upgrading can present similar complications though, and with the holiday shopping season already in full swing, your website can't afford a single minute of downtime.

## What Should You Do?
1. **Discover Your Risk Level**Figure out which version of Magento you're operating on. Then check how up-to-date your website is with previous security releases.MageReport.com provides quick, effortless insight into your current state of security. This scanner will look for previous security patch installations and suggest other preventative measures you can take to defend your store.

2. **Determine Whether to Patch or Upgrade**After you've determined which version your Magento installation is using and how high your risk level is, the next step is to decide whether you should install the security patches or move forward with a Magento upgrade. The choice will come down to a number of factors (urgency, being one of them) and it's best to consult with a Magento developer before doing anything.A skilled Magento developer will not only be able to make recommendations on your course of action, but they can also help you identify which extensions and features your website has that will be affected. Documenting your extensions and potential issues prior to beginning will greatly aide the QA process afterwards.

3. **Work in a Fresh Development Environment**Whether you're patching, upgrading or updating a single line of CSS, you should always work in fresh development environment. Deploying code directly to your production environment is one of the biggest development sins you can make. The key advantage of working in a staging environment is that you have the freedom to evaluate and sort out any major kinks before your code goes live.Remember: Document any changes you make in the Magento admin on your development installation. These changes will need to be manually updated when the code is pushed to production.

4. **QA, QA, QA**After installing the patch or upgrading, thoroughly QA your website for issues with functionality. Test everything!According to Magentary, nearly 80% of 3rd-party extensions, especially those using custom variables and admin routing, will be affected by this patch. The patch requires custom blocks and variables created by extensions, such as {{var custom.example}}, be added to the allowed Blocks within the new System Blocks Permissions page. Custom blocks within your CMS pages and Transactional Emails will also need to be added to the allowed Blocks in order to display. (If you find that your extensions are still not working as expected, you should contact the extension developer for a SUPEE-6788 compatible upgrade.)
5. **Deploy**After careful QA, it's time to deploy the code to your production server. Deployment processes vary from team to team and have sparked many great developer debates. Whatever your particular process is, be sure to adhere to it. Also, don't forget to migrate any changes you made within the database or Magento admin of your development site.After deploying, you should review your live install with as much scrutiny as you did the development environment. Test everything again..

For more information on patching or upgrading your Magento site, contact Fruition's E-Commerce and development experts.

Uncover insights on potential vulnerabilities posed by SUPEE-6788, Magento's security patch, and know how you can impactfully safeguard your E-commerce platform.

Updated Content:

# Understanding Magento’s Security Patch SUPEE-6788: Risks and Mitigation
October 27th marked the release of Magento’s much-awaited security patch, SUPEE-6788. Targeting over ten potential security threats on the e-commerce platform, it's a crucial tool that addresses significant "remote code execution and information leak vulnerabilities."

A key hazard discovered within the Zend Framework, which is responsible for system files, was promptly addressed with SUPEE-6788. It was intended to counter automated attacks, compelling merchants to initiate a quick upgrade or patch to their Magento platform.

However, for many e-commerce owners, the release of SUPEE-6788 couldn't have come at a more inconvenient time, right before the holiday shopping season, especially for those lagging behind on website maintenance. While it resolves numerous security aspects, the installation has proved to be more complex than anticipated. The patch could potentially impact backward compatibility with customizations or extensions as anticipated by Magento’s SUPEE-6788's information page.

## Steps to Safeguard Your E-Commerce Platform
Here's a practical to-do list for addressing the challenge of SUPEE-6788:

1. **Assess Your Risk Level** - Determine your current Magento version and evaluate the status of previous security releases. MageReport.com offers valuable insight into your current security state, including a review of past security patch installations.

2. **Patch or Upgrade – Make a Choice** - Understand your risk level and Magento version before deciding to install the security patch or a complete Magento upgrade. Several factors come into play here, including urgency and consulting a Magento developer.

3. **Switch to a New Development Environment** - Always initiate changes, whether patching, upgrading, or updating, in a fresh development environment. This approach enables identification and resolution of major issues before your code goes live.

4. **QA Testing** - After patch or upgrade implementation, conduct a rigorous QA for potential functionality issues. Test every feature extensively, especially third-party extensions that might be affected by this patch.

5. **Deploy** - With thorough QA done, code deployment to the production server is the next step. Do remember to migrate any changes made within the database or Magento admin of your development site after deployment.

For expert guidance on patching or upgrading your Magento site, reach out to Fruition's E-commerce and development specialists.

a blue and orange line drawing of a megaphone

large_Generic-Blog-Hero-1.jpg

Strategy & Research

Digital Marketing

Web Development

Creative

AI Data & Analytics

Magento Security Patch SUPEE-6788: Know the Risks, and your Next Steps

Ben Smith

Related Articles

International SEO Tips for Business Success: Localization, Translation & Domains

Ben Smith

Don't "Enhance" AdWords Until You Read This!

Ben Smith

Fruition® Client Wins Industry Award for Outstanding Website

Ben Smith