There is a major reason you should update to 1.6.8: there’s a security hole in 1.6.7. It’s not an out-of-the-box security hole, but it’s still a very significant one, and it’s one that many of our existing clients are exposed to. How do we know? Because our programmer, Justin, found it and we brought it to EllisLab’s attention.
Now, I’ve said before that one of the biggest reasons we use and recommend Expression Engine is because of their security record. Does that still hold true even in light of the problem in 1.6.7? Actually, yes, more than ever. We reported our discovery to EllisLab by email just three days ago, on Monday at 5:30 p.m. There was a patched version of the file in my inbox on Tuesday at 8:30 a.m. Seriously: when do these people sleep?
On Tuesday, together with EllisLab, we expanded the scope of the testing, and reported some smaller edge cases that still needed to be dealt with. By the end of Tuesday, EllisLab had caught all the interactions relating to this hole and gave us a final patch.
I was then expecting that there would be a new build of EE in a week or two; and was even wondering how I might deal with the situation if EllisLab was slow to patch given how much else they had going on right now, and given that this wasn’t a known exploit. I now know I had nothing to worry about. Not only didn’t we have to wait a week, by Thursday morning there was a new point release, not just a build release—well, I know the EllisLab folks aren’t the ones to pat themselves on the back, so let me be the one to do so: Leslie and Derek, you guys are fast, smart and professional, and to anyone else involved in the release, I’m astounded by your responsiveness.
So if you’re wondering: does EE have a perfect safety record? Nope. Neither does any software I can think of. However, I can say that my belief in EE as the most secure CMS out there is further cemented by this recent experience. EllisLab took the problem seriously and dealt with it efficiently and appropriately.