On Tuesday, October 25, the Joomla team released version 3.6.4, which is an urgent security update.
We've compiled a short FAQ to help you, and we'll keep this updated as we know more.
Here's what you need to know about the Joomla 3.6.4 release ...
How serious is this update?
This importance of this updated is rated "High". This is not as important as a "Critical" update - it is not a Joomla version of Drupalgeddeon. However, we definitely recommend that you update quickly.
Can I wait until later?
Hackers will likely be able to figure out the exploit within a few hours. At that point, they'll start looking for Joomla sites to hack. So it's a race between you and the hackers.
Thanks to Joomla's announcement, you have a tremendous head start. But, it's not big enough for you to stall. It's essential that you update right away at its release.
Don't wait to update.
How do I update?
You can update as normal. Go to Components > Joomla Update and update from there.
There are also services such as Watchful that make it easy to update multiple sites.
What changes were made in the update?
The Joomla team's fixes were related to the com_users, and the registration and authentication processes. The security issues solved by Joomla 3.6.4 are all related to users creating new accounts:
- Security issue #1: Inadequate checks allow for users to register on a site when registration has been disabled.
- Security issue #2: News users can register on a site with elevated privileges.
The team also updated the cryptography library to fix a small bug that was introduced in Joomla 3.6.3.
The key problem is explained by Nicolas from Akeeba:
Due to a bug introduced in Joomla 3.4.4 an unauthenticated user can register a user account with any user group assignment they choose except Super User. This works even when you have turned off account registration.
In plain English, any random hacker can create an Administrator (but NOT Super User) account on your site. Using that they modify the content of your site but, with the default security options of Joomla in place, cannot install malicious extensions.
Nicolas is the developer of Admin Tools and the latest version of that component will help keep your sites safe, including against this particular bug.
Does this affect all Joomla 3 sites?
No, only Joomla versions between 3.4.4 through 3.6.3 are impacted. Nevertheless, all Joomla 3 sites should really update to 3.6.4.
Does this affect Joomla 2.5 sites and older?
Only Joomla 3.4.4 through 3.6.3 sites are affected. But, older versions have other known vulnerabilities. They should be migrated to Joomla 3 at the earliest opportunity.