Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance
When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life (EOL) and support (EOS) on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1.
Unfortunately, there are still too many (over 100,000) active Magento 1.x installations. The company is urging their owners and admins to migrate to Magento 2.x or risk being hit once another critical and easily exploited vulnerability is unearthed and its existence made public.
Magento is a very popular open-source e-commerce platform that powers many online shops, a fact that hasn’t gone unnoticed by cyber criminals.
Nearly four years ago (and possibly even earlier), cyber crooks started concentrating on breaching Magento-based shops and injecting them with scripts that quietly grabbed users’ personal and payment card data information and sent it to a server they controlled.
Since then, the tactic has been used and continues to be used by many cyber criminal groups, which have been classified by security companies as “Magecart” attackers. As they are quick to exploit newfound vulnerabilities in the Magento core and third-party extensions, hardly a day passes without news about another online shop having been compromised.
If you decide to stick with Magento 1
“If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site’s security and PCI DSS compliance,” Adobe warned.
Merchants that continue to use an unsupported Magento 1 version will have to implement compensating controls to re-certify PCI DSS compliance, such as signing up for and implementing third-party fixes and updates, continuously scanning their installations for malware, vulnerabilities and unauthorized accounts, using a web application firewall, and so on.
“General security vulnerabilities tend to increase the longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This raises the risk of attacks and security breaches over time and increases the possibility of exposing personally-identifiable customer data,” Adobe explained.
Companies risk their reputation, the trust of their customers, fines and may even lose their credit card processing ability if they fail to protect user information.
Another thing: the end of support for Magento 1 also means that some extensions merchants use will not be available anymore.
“We encourage Magento 1 merchants to download the Magento 1 extensions they plan to keep, since Magento 1 extensions will not be available in the Magento Marketplace after July 7, 2020, and will be removed from the Magento repository after August 6, 2020,” Adobe noted last week.
Magento 2 or something else?
PayPal, Visa and other payment processing companies and payment platforms have also been urging merchants to make the switch to Magento 2.
Even though Magento 2 was released five years ago and even though the migration from Magento 1 to Magento 2 can be performed by using an official Data Migration Tool the number of Magento 2 installations is still lagging (it’s currently around 37,500 installations).
As “painful” and costly as it maybe, this EOL will hopefully push many of them to finally make the switch – or make the switch to an alternative platform.
“2020 has been a tumultuous year for retailers. Merchants should not have to worry about security issues or upgrading their ecommerce platform while they are in the middle of adapting to drastically changed consumer behaviors and expectations. Amidst the list of business-critical priorities a merchant needs to focus on, worrying about what’s happening with a Magento migration or installation should not be included,” noted Jimmy Duvall, Chief Product Officer at BigCommerce.
Earlier this month, Windows 7 – the most beloved Windows version up to date – has reached end-of-support.
Businesses of all sizes can still pay to receive extended security updates (ESUs) to keep their systems secure while they plan their upgrade, but home users don’t have that option.
They can still upgrade from Windows 7 to Windows 10 for free (if they have a valid serial number for Windows 7), but those who continue to use Windows 7 now that support has ended are simply more vulnerable to security risks.
AV on Windows 7
Foresight Cyber CEO Vladimir Jirasek has recently shared good advice on how businesses can minimize the risk of security breaches if they, for whatever reason, can’t upgrade from Windows 7 and can’t afford ESUs. Some of his suggestions can be also be implemented by consumers.
In addition to that, the good news is that some browser and many AV manufacturers will continue to offer Windows 7 support.
“Google has made it totally official in assuring its Chrome users that it will provide further security updates at least until July 2021. As the latest version of Microsoft Edge for Windows 7 relies on the same HTML engine as Chrome, it ought to have security updates, German antivirus testing laboratory AV-Test shared.
“There has been no official word on this yet from Firefox. Only in the support forums, the leading moderators point out that Mozilla continued to supply updates for Firefox under Windows XP for several years after support was phased out.”
Most AV manufacturers haven’t announced end of support for Windows 7, but will extend support for another two years at least (you can check which here). Avira will end support on November 2022, and Sophos will support its on-premise AV version until December 2020, its cloud-managed version until June 2021.
Even Microsoft will continue to release signature updates (including engine) to service systems currently running Microsoft Security Essentials untill 2023.
Finally, it’s good to note that users who don’t want to switch to Windows 10 or can’t because of their old computer can’t take it can still opt for a supported Windows version: Windows 8.1 is under extended support until January 10, 2023.