The drop is always movingYou know that saying about standing on the shoulders of giants? Drupal is standing on a huge pile of midgetsAll content management systems suck, Drupal just happens to suck less.Popular open source software is more secure than unpopular open source software, because insecure software becomes unpopular fast. [That doesn't happen for proprietary software.]Drupal makes sandwiches happen.There is a module for that

Do you want a visit from the police?

Submitted by nk on Sat, 2007-04-14 20:53

You see, it's not hard to write sensational titles. I never thought I need to write about why keeping up with security patches are important, but apparently, some do not get it and spread their idiocy (I am not naming anyone, you know who you are). It was suggested that most people will find it nonprofitable to keep the website security updated when comparing the upgrade cost with the recovery costs of a hacked website, taking also in account the reputation and losses for the business.. Hint: merely restoring your website does not solve anything -- it's not like a successful attack needs to change anything on your website. As long there is a possibility to inject JavaScript somewhere, your site is open to a number of interesting things which even might lead you finding yourself trouble with the authorities.

Quite some time ago, there was a Gmail security hole where the security researcher managed to produce a link and if you have clicked on it, you got the Gmail login screen along with a form which stated that Gmail will become a paid service but if you pay ten dollars then you can get lifetime access. Of course, the form lead to nowhere, because this guy was a security researcher, not a bad guy. Imagine the same link spread through spam which has about 0.01-02% click through rate -- for ten million emails, that's a few ten thousand dollars earned without serious effort. Whether you will be sued or not if something like this commences, is anyone's guess. I am unaware of anyone dragged to court because of a security hole but sooner or later it will happen.

A privilege escalation might lead to information disclosure. If you run as innocent as a kid educational site, you are likely holding records of minors and a disclosure of those might be serious trouble.

If you keep going without applying security patches then somewhere down the line you will miss one that let people run arbitrary PHP code. Here, restore does help but it can be way too late. Your site might be running a spambot for some time. Or what about hosting copyright infrigement? Let's recall a snide warning from an RIAA attorney: "You don't want to have another visit with a dentist like me."

Commenting on this Story is closed.

Submitted by riccardoR@drupal.org on Sat, 2007-04-14 22:20.

It is absolutely true, as you say, that someone could be dragged to court because of a security hole.
The Italian law, for example, says that system admins can be sentenced to personally refund the damage coming from abuse of their systems, unless they prove that they did everything possible to keep the system secure.
Therefore every discussion about the convenience of applying security patches makes no sense.
One has to do it, period.