An unusual public service announcement was issued by the Drupal Security Team earlier today as a "highly critical" follow-up to a previous security advisory from October 15. It warns that Drupal sites (version 7.x) that have not been patched or that were not patched quickly enough should be assumed to be compromised
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
We would like to reassure our customers that every Drupal 7.x website hosted and/or maintained by Othermachines was patched by 7:30 PM UTC on October 15, less than 4 hours after the announcement. This is well within the safe window specified by the Drupal Security Team, and no further action is required.
Although these highly critical vulnerabilities are unusual, they do happen. That is why it is our policy to carefully and promptly review every security advisory to determine the level of risk and take appropriate action.
More detailed information can be found by following the links below, or by contacting us directly.
As always, thank you for choosing Othermachines.