Drupal 7 security announcement

The Drupal Security Team released a new version of Drupal 7 to address a highly-critical security vulnerability We have coordinating an update of all of our Drupal 7 sites to get to the latest version. Every Drupal 7 site we host has been updated and manually verified.

Our process

Advantage Labs rolls major security updates and a collection of updated modules into our managed build and updates each site using the build. We have found this process to be generally more consistent and trackable than updating modules willy-nilly via the updates page, and it gives us a chance to recognize and address issues on one site and apply solutions to subsequent sites. The release instigated by this security notice is no exception. We created a new build and prepared to update all Drupal 7 sites.

The nature of this security vulnerability, which allows attackers to work remotely without a login to your site, made it important for us to escalate our usual check-in and QA process and get every Drupal 7 site updated as quickly as possible. We coordinated communication and updates of all D7 sites between Wednesday and Thursday, and each of our customers checked on the updates. 99% of our hosted sites were updated with no impact to our customers.

Secure by default

Because Drupal core and selected modules are managed centrally and root-owned, it is not possible for an exploit that runs as the site's owner to cause changes to Drupal or those modules. And because these files are centrally managed, we were able to update them without affecting our customer's files and customizations.

Custom modules, the site's database, and the files directory are still susceptible to changes caused by this and other exploits. Following the updates, we ran an integrity check against our managed sites, and were happy to find that 100% of them checked out OK.