A month or so ago I wrote about the importance of patching your content management system and the advantage we believe exists with Open Source content management systems versus those offered by proprietary systems.
At the time of writing I had no idea of the relevance it had with an issue identified within the Drupal Content Management system. On the 15th October 2014 the Drupal security team released a security patch for a fairly serious vulnerability they had identified, details available here: https://www.drupal.org/SA-CORE-2014-005
The threat allowed a hacker to take control of Drupal website and potentially access content and utilise functionality that exists on the site for their own purposes.
The notification itself has caused considerable discussion within the Drupal community as not only did it alert webmasters, site administrator and developers to the need to patch, it also alerted would be hackers to the potential vulnerability. As a result there was a 7 hour window established within which a Drupal site had to be patched before it was fairly certain it had been hacked. For many this window was too short and as a result further remedial effort was required to ensure the integrity of the Drupal website.
At Koda we managed to patch all sites in our care within this window, unfortunately not everyone was able to do so.
One of the chief concerns raised was that by sending the security notification it alerted hackers to the vulnerability, I don't believe there was any choice. The issue was found by the team, a patch developed and the communication sent. If they hadn't found it and notified us it could have been exploited by a hacker without us being aware. I believe the real issue the event has raised is the need to partner with a developer and hosting company that can proactively monitor the security patches released by the Drupal team and to ensure the sites in their care are regularly patched.
The Drupal security team have an alerting service available, you just need to register on the www.drupal.com website and subscribe to the security notifications.
This is a great example of the benefit of using an open source content management system for your website that has large community of developers supporting it and a dedicated security team reviewing it 24x7. Drupal has a large dedicated team of contributors, we all work actively to ensure the platform remains as stable as possible.
I'm not sure how easily an issue such as this would have been identified and resolved on a proprietary content management system, where financially and logistically it is not viable to proactively review code within the application.
What it does reinforce however is that once your website is built there is still an ongoing requirement to proactively assess the state of the environment, apply updates as required, and definitely to apply security patches as they become available.