Blog

atlanticbt_magento-update-security

The Magento Security Patch You Can’t Afford to Ignore

If your online store is not secure, it doesn’t matter how much revenue it brings in—the right cyberattack could cripple your ability to run online transactions.

This in mind, it’s critical for users of both Magento Enterprise and Community to install a critical security update called SUPEE-8788. In this blog post, I’ll go through the details of this patch and what my team at ABT learned from this process.

Who Is Affected?

If you use a version of Magento Enterprise older than 1.14.2.4 or a version of Magento Community older than 1.9.2.4, you need to apply this update.

What Exactly Does This Update Do?

SUPEE-8788 addresses 17 different APPSEC vulnerabilities in Magento, including ones found in the payments system, user sessions, the Flash-based media uploader, and within the Zend Framework itself (which Magento has assumed maintenance of since ZF1 passed end-of-life).

In addition to the security updates in the SUPEE-8788, Magento versions 1.9.3 (CE) and 1.14.3 (EE) also provide several dozen other fixes and updates, including:

      • Tax calculation fixes
      • Shopping cart and checkout fixes
      • Catalog fixes
      • Price rule fixes
      • Configurable swatches fixes
      • Import/export fixes
      • Indexer fixes
      • Visual Merchandiser fixes (EE-only)

How Do I Apply This Update?

Visit Magento’s Security Patches page and follow the instructions to either update your version of Magento or download and install a patch alleviating these security issues. Because the patch can be applied quicker and with less complication than the version upgrade, we recommend installing the patch immediately if you don’t have the time or resources to perform a full Magento upgrade.

Wait, Why Do I Need More Time to Perform This Magento Upgrade?

Magento upgrades take a lot more than clicking a button and waiting a few minutes. Your developers will need to ensure the new version installs correctly and works with your existing design and customizations. We also recommend a thorough QA process across all areas of your online store when you install the upgrade. Making matters more complex, the new versions of Magento differ greatly in quality based on whether you’re using Community or Enterprise.

How Should Magento Community and Enterprise Users Handle the Upgrade?

Magento CE 1.9 users, especially those on 1.9.2, should review the fixes and features in the 1.9.3 upgrade to determine if it’s worth extra time to upgrade rather than install the patch. Spend some time reviewing the Magento forums, StackOverflow, and subreddit to see what kinds of issues people are reporting with the upgrade. This will help you anticipate and resolve any common issues or conflicts you’re likely to encounter with the upgrade.

Magento Enterprise users should be more cautious regarding the upgrade. While it’s always preferable to be on the latest version whenever possible, we’ve been disappointed in the lack of quality control in this release. Our Magento developers have already identified multiple bugs in the EE-specific changes which required hotfixes. There’s also currently little public discussion around 1.14.3, so it’s difficult to find solutions by comparing notes with other users. While this update does fix some long-standing bugs and the aforementioned security issue, the update trades these problems for new ones without proven fixes. This makes it easier to just install the patch if you use Magento Enterprise.

What If I Need Help or Have More Questions?

Feel free to post any questions or thoughts in the comments section below. If you’re interested in getting Atlantic BT’s help in handling your upgrade, contact us today to get started.