SUPEE-7405

In November, we published a blog post about the worst Magento patch that we’d come across to date – SUPEE-6788, known to some in our offices as “the website killer”. It required significant work to apply this patch, which in essence requires Magento store owners to have us upgrade their extensions and store, and address all of the issues that can arise when conducting such upgrades. Other developers like Shero estimated that it “…took around 40 hours to complete” a Magento SUPEE-6788 patching and relevant work. While our team has been averaging fewer hours for this patch, Magento developers as a whole reported very similar experiences.  We hoped that while this was a traumatic experience for the Magento community-at-large, we might start off 2016 on a better foot.

Unfortunately, SUPEE-7405, released in January 2016, has turned out to be another headache for many store owners. As our friends at Simple Helix posted a few weeks ago, this patch changed file permissions making it impossible to do things like upload images through the admin successfully. Magento has since updated the patch (on February 23rd) requiring sites previously patched to be re-patched (lest their sites not be in good shape for future patches and upgrades). We’re glad that they addressed the issue, but we recognize the burden that this places on our customers who bear the financial burdens, and our business that needs to keep up with unexpected jumps in demand for patching and debugging large numbers of clients.

While researching the 7405 patch, we uncovered an article from the team at Sucuri that shed some light into the history of the issue. It appears that the Sucuri team became aware of the security vulnerability because they detected issues found with their Cloud Firewall, and notified the Magento team. As many of our client’s know, we’ve been recommending the Sucuri Malware Monitoring and Firewall system in many of our recent publications.

Furthermore, according to Sucuri’s article on the 7405 patch, websites using their firewall can be patched “virtually”, meaning that even if you don’t have the patch installed yet, you can potentially be protected. While not all vulnerabilities can be addressed virtually in this way, we highly recommend the Sucuri firewall product. For around $300 a year, (the equivalent of about 2 of hours of work by our team) it’s a great value, and can offer a huge savings by avoiding, detecting early, and helping to address malware and other security concerns. It’s also a really great opportunity for websites that are outdated and not compatible with the latest patches, or otherwise aren’t being as actively patched.

We’re still huge fans of the Magento eCommerce Platform for a great many reasons, including its great features, many extension options, and open source coding. Simultaneously, we’re continuing to help customers evaluate the best platform for their long term needs. As the costs of building and maintaining a Magento website grow, our team is continuing to help assess other options for clients, such as startups and small businesses, and have been advising businesses accordingly.

-Robert Rand