Update 21-09: we received a response from Magento (Ted Pietrzak, Senior Director, Product Development, Magento). Added below.
If you are a Magento developer responsible for one or more shops, you probably have a few sticky notes on your monitor with long due “upgrade” todo’s. Somehow, there is always something more enjoyable on the agenda than the daunting task of replacing Magento core files. And it appears you are not alone. Over 80% of Magento shops worldwide do not have the latest Magento security fix installed.
Last February, Magento released a fix for its first serious security flaw ever, dubbed Shoplift. Many shops got hacked; customer data was stolen, and payments got diverted. This induced Magento to come up with a new security policy. Offering cash rewards, people were invited to submit newly found security issues. So far, 20 issues were reported, ranging from “highly hypothetical” to “DEFCON 1”. Magento created corresponding patches and did a good job communicating about them.
Magento patches released this year
A short summary of the SUPEE patches that Magento has released this year:
|Feb 9||5344||⚠⚠⚠||Anyone can take control of shop|
|May 14||5994||⚠||Discover the name of your secret admin panel.|
|Jul 7||6285||⚠⚠⚠||Hijack customer sessions and download order details.|
|Aug 4||6482||⚠⚠⚠||Hijack customer sessions.|
Then what is the problem?
Since May, I’ve kept real time statistics on the implementation rate of the Shoplift fix worldwide and I was curious how this would translate to the newer patches. So I ran a test on all 216,394 known Magento installations globally, discriminating between the free Community and the paid Enterprise edition.
So what can we conclude from this?
Apparently, people do not apply patches. Even for Enterprise Edition shops, for which we can assume that a large amount of money is involved, the latest patch (which is well over a month old and fixes two high-risk issues specifically for Enterprise) is only installed by a minority. These unpatched shops are a potential disaster.
Let us explore the reasons that people do not apply patches. Logical deduction says that they are either unable or unwilling to do so.
Why are they unable to apply Magento patches?
As to why they are unable, the Magento Stackexchange has 559 questions about patches. It boils down to three issues:
- These patches require terminal access and a certain degree of sophistication. Many people run Windows (no terminal), have a hosting account without terminal access or lack the terminal voodoo to download and execute the patches. This is the majority of the complaints.
- Patch installation is complex. Running the patch is not enough, you also have to restart or clear various parts of your application stack, notably the “Magento compilation”, the opcode cache of PHP and in some cases the block cache. Otherwise, patch installation seems to have succeeded but effectively doesn’t protect anything.
- Patch installation is cumbersome. It requires establishing the required patch id’s, creating a Magento account, logging in, downloading, then transferring the files to the location hosting the code base, then running a series of commands. And then you have to test if everything works as before. Chances are, especially if you maintain multiple shops, that you forget one or more patches/shops.
Why are they unwilling?
As to why people are unwilling to install patches, psychology research might have the answer. Prospect Theory  says that people prefer a large hypothetical risk over a small but certain loss. So shop owners might procrastinate on installing patches to avert a future doom, rather than pay the modest immediate cost of hiring someone to install patches. It is all dictated by evolution!
What should Magento do?
In my opinion, Magento could level up the patch rate significantly by:
- Enabling patches without shell wrapper, ie provide a zip with updated files that one can simply extract over a code base.
- Providing clear communication about the risks that are covered by various patches. Is a new patch “nice to have” or “drop everything you’re doing” – severity?
- Providing a clear overview of what versions require what patches.
- Soften the “login” wall for patch download. People should be able to do a wget $patchurl on their development server.
- Ultimately, an auto update feature 😉
Check your shop: MageReport.com
So what should you do? To help identify whether you are at risk, I’ve created a quick online test that will tell you what to install and how to do it. Don’t end up in the news because somebody stole your customer data, see within 30 seconds if you have missed any critical patches.
Statement Magento – September 21, 2015
Thank you for continuing to track Magento security patch installations and for reinforcing the importance of merchants and developers not becoming complacent about security.
Magento is committed to ensuring the security and integrity of our software. We want to empower retailers, brands and branded manufacturers to maintain the kind of fine-grained control they expect from Magento, even when it comes to their security implementations.
Patch updating is a nuanced process, particularly with the high-level of customization that merchants implement in order to create uniquely branded customer experiences with Magento. While the unique flexibility of our platform prohibits us from enabling auto-patching, we always work to inform affected merchants and equip them to apply patches as quickly as possible.
To this end, merchants are alerted to the criticality of an update through the vulnerability severity rating associated with each patch and included in the issue description on the Security Center. There is also a great resource developed by the broad Magento ecosystem detailing which version requires which patch. Magereport.com is another great community resource which lets clients run tests on their website and gives an instant overview of which patches have not been applied or where there is uncertainty.
We are working to further simplify the download process for all versions by making patches more easily available for automated downloads.
Ted Pietrzak, Senior Director, Product Development, Magento”
This article in an infographic: