Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Drupal is saying that people were being compromised only hours after the details were known. That's a very short window to update software. In this instance, I'm not really sure what anyone could have done to avoid the potential for compromise. Your install is practically DOA by the time you will learn of the news.


That's exactly the issue. Most enterprises didn't even have time to be notified and properly test/push a patch live before the attacks were already in the wild.


It's like Exploit Wednesday for Windows, except Drupal is a lot easier to reverse and find where the security issues lie given it's open-source.. So instead of taking a day to reverse/find holes, it takes a matter of minutes.


In addition, the issue was leaked pre-announcement among a great many parties who had time to prepare.


Do you have more detail on that? I'd hazard a guess at irresponsible disclosure, or an internal Drupal employee leak.


Then you fall back on backups. These are all very old admin problems.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: