The vulnerability uses an XML Quadratic Blowup Attack that allows a small XML document to require hundreds of megabytes of memory that ends up crashing your website and even web server.
While WordPress and Drupal both updated their software to protect against this vulnerability, the headline draws attention to the differences between using open source or, for that matter any installed or managed services WCM, and SaaS based solutions like Clickability.
In the case of WordPress and Drupal, the executive from Salesforce.com who found the vulnerability notified the providers before disclosing the information to the public. The two patched their software and now users, IT departments and third-party managers have to download the patch and make the updates. And, while WordPress now has automatic updates expressly for the purpose of rolling out security patches, not all users have their settings turned on to enable this.
In a SaaS environment, you don’t have to wait for upgrades and patches to happen or spend IT time and resources managing vendor software upgrades or pay a third-party to do it. SaaS solutions automatically push upgrades and patches out to all users as part of the software development cycle. There is no need for users to download anything. This is all part of the subscription, multi-tenant model where all users run on one version of the software that is managed by the provider. At Clickability, not only are we constantly monitoring for vulnerabilities but when we make patches and updates our customers enjoy the benefits of the updates without ever having to take any action on their end.
In sum, smart organizations who want to make efficient choices regarding the use of IT time and resources are better off choosing a SaaS-based WCM that proactively manages security and push updates with no action needed from customers’ IT departments or third-party service managers.