Is It Time to Upgrade to Joomla 1.6?

Recently we have been having many discussions with clients about whether it is time for them to upgrade from Joomla 1.5 to Joomla 1.6, with most of the discussion surrounding whether it is necessary to do that now for security purposes. There are a number of factors that need to looked at to determine if it is time for you to upgrade.

It is often said that one of the most important measures for keeping a website secure is to insure that you are running the latest version of any software on the website. While that this is true in general, what isn’t mentioned explicitly in that advice, and many companies that claim to be security experts don’t seem to understand, is that you need to keep the software updated to one of the latest supported versions. If more than one version is supported at a time you don’t need to be running the latest version, just one of the latest supported versions. In the case of Joomla, both version 1.5 and 1.6 are currently supported with bug and security fixes. So at the moment you would be secure if you were running either 1.5.23 or 1.6.3. Back in January, when Joomla 1.6 was released, it was announced that support for Joomla 1.5 would continue for 15 months, so there is about year of support for Joomla 1.5 left.

A major reason for the continued support of Joomla 1.5 is that Joomla 1.6 is a major upgrade from Joomla 1.6, which requires migrating the Joomla database, some changes in Templates to be compatible with Joomla 1.6, and can require major changes in extensions to be compatible. At this point many extensions do not have a version compatible with Joomla 1.6; VirtueMart is one such extensions that comes up often during our discussions.

Joomla 1.6 does not introduce any features that directly increase security from hacking. An automatic update features has been added that makes it easier for Joomla and its extensions, which support the feature, to be updated. As keeping Joomla and its extensions up to date is the most important step to keep a Joomla website secure, this will hopefully improve security.

It is also important to note that Joomla 1.6 requires at least version 5.2 of PHP and version 5.0.4 of MySQL. At this point, hosting providers should already provide those, though in some cases you to switch to PHP 5 in your hosting account’s options. You can check what versions of those are currently being used on the System Info page, which is accessible from the Help menu in the Joomla admin.

So Should You Upgrade Now?

  • If you are in need of the new features in Joomla 1.6 and the extensions you need are compatible with it, you can upgrade now.
  • If you are in need of the new features in Joomla 1.6 and the extensions you need are not yet compatible, you will need to wait until those become available.
  • If you are not in need of the new features then you can wait to upgrade. You might want to begin planning for the upgrade, checking your template, scheduling for the upgrade to be performed during a non busy time for the website, etc.

Still Running Joomla 1.0?

While support ended for Joomla 1.0 in July of 2009 many website are still running Joomla 1.0. While we haven’t seen Joomla 1.0 to be a major target for hackers, we still strongly recommend upgrading to a supported version as soon as possible. While jumping to Joomla 1.6 appears to be the better option, as you will not need to make another major upgrade in the next year or so, it is not always possible yet and will require a larger change be made at one time. In our discussions involving Joomla 1.0 websites the major issues holding back upgrading to Joomla 1.6 has been that needed extensions are not yet compatible with the new version. Upgrading to Joomla 1.5 may require less change as it provides a legacy mode that allows some Joomla 1.0 templates and extensions to continue to run without modification, that feature does not exist in Joomla 1.6. You will still eventually need a template and extensions that are compatible with Joomla 1.6, but you would have over a year to get those in place while having a secured website in the mean time.

Stars virus: Iran claims to intercept second cyberwarfare attack

StarsIranian officials today claimed to have intercepted a cyberwarfare attack, involving malware designed to spy upon government systems.

The malware has been dubbed the “Stars” virus by Gholamreza Jalali, the head of Iran’s civil defence organisation, who broke the news on the institution’s website.

Jalali says that the Stars virus continues to be investigated by the country’s experts, and that it could have been “mistaken for executive files of governmental organisations”. That suggests that the attack may have been disguised as a legitimate Word, PDF file or similar document in an attempt to trick unsuspecting victims into infecting government computers.

Inevitably, many people will remember the brouhaha that surrounded the Stuxnet virus last year, and sure enough the media has jumped upon the story of the new Stars virus.

Unfortunately, we can’t tell you much about this Stars virus. As far as we know, we don’t have a sample in our malware collection – and we would really need the Iranian authorities to share what they have seen with the anti-malware community, so we can delve a little deeper.

An MD5 checksum, for instance, would quickly help us ascertain if this is a sample of some malware that we’ve seen before.

In his statement, Jalali blamed American and Israeli forces for attacking Iranian websites, but we are not able to confirm that the malware attack – if genuine – originated in either country or if it is really specifically targeting Iranian systems.

Let’s not forget, we see almost 100,000 new unique malware samples every day – much of it designed to spy upon victims’ computers. Presumably the Iranian authorities have reason to believe that the Stars virus they have intercepted was specifically written to steal information from their computers, and is not just yet another piece of spyware.

If we learn any more we’ll certainly let you know.

Easter Egg locations remain safe, says Bunny spokesperson

Polish pisanki photo courtesy of Jarosław Pocztarski's Flickr photostreamReports surfaced late today that the Easter Bunny had a minor incident while hiding the last of his eggs during his traditional Easter mission.

Every year the Easter Bunny travels the world hiding brightly colored eggs and baskets with goodies for children to discover on Easter morning.

“It would be a tragedy if the locations of all the eggs and baskets were disclosed,” said an anonymous parent representing a children’s rights group.

Unfortunately it appears that the Easter Bunny had stored all of his data and maps of where his eggs were placed in one basket.

Easter Bunny and eggsFortunately Naked Security was able to reach a spokesperson for the Easter Bunny, who assured us that the locations of the treats were fully encrypted on Mr. Bunny’s netbook.

“The Easter Bunny takes the joy of children seriously, and despite the loss of his maps, Easter will proceed normally,” said the spokesperson.

Creative Commons image of Polish pisanki (eggs) courtesy of Jarosław Pocztarski’s Flickr photostream.

SSCC 57 – Infosec Europe 2011, Facebook privacy

Sophos Security Chet Chat logoPaul Ducklin from Sophos Australia joined me at Info Security Europe 2011 this week to help explain our open letter to Facebook.

Paul and I discussed the three points we outlined in our letter and other associated issues we have seen recently concerning safety and privacy on Facebook.

We also spoke about some of the booths and presentations at the show and shared our thoughts on what vendors should be sharing with the public at these shows.

If you prefer a news summary for the week in text format, visit the Sophos Security Hub for the latest selected hot topics or subscribe to our weekly newsletter, Sophos enews.

(21 April 2011, duration 11:44 minutes, size 7.5MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 57.