Magento Patch SUPEE-10975

It is patch day again with Magento patch SUPEE-10975 with another bunch of security leaks closed. As always: it is a good idea to update your shop as soon as possible. Christmas shopping is currently running. A shop with a security leak may destroy your business.

Magento Patch SUPEE-10975

Magento Patch 10975 addresses some problems with RSS authentication. A brute force attack on this may slow down your shop server. It is not possible anymore to do such attacks. Normally your hoster should detect and stop such brute force attacks.

It is not possible anymore to store customer credit card information in database. Most attackers want to get those data and with no information in database your shop is no longer a useful target. It makes no sense to store credit card data on your own, because nearly all payment providers have Magento plugins with external forms for credit card insertion. With this it is not your problem to keep this data secure.

Many changes are about RCE (remote code execution) for various parts like API or authentication. Remote code execution is very dangerous, because with it a hacker may rewrite code of your store or may call code on customers device.

Issues

Currently there are no known issues with this patch. It is important that you only apply it if your shop is up to date. Otherwise you may run into compatibility problems. If you want to be safe, it is always a good idea to patch a development stage first and update your production system later.

Conclusion

With every closed security leak, hackers need to find others. So there needs to be a constantly match between find new problems and fix existing ones. Magento 1 is now at a good rhythm with a big security enhancement every few months. Take your time, red patch notes and register for update messages. A safe shop is a shop that is constantly updated.