In short, yes. CE 1.7 is still vulnerable to those specific attacks because no security release has been issued which contains a patch.
In the case of the latter one, a session fixation attack, the change is an upgrade in the security practices which Magento already used to stay in line with current security best-practices. Not something likely to be issued to CE 1.7 if they do issue a patch with the CSRF fixes.
The real question is what exactly were these CSRF vulnerabilities which were fixed? Doubtless a good thing that they did not include specifics in the release notes, thus further jeopardizing all prior releases, but it would be nice to know for the sake of patching old implementations.
UPDATE #1:
Upon reaching out to Magento to find out when they will be issuing patches for the above vulnerabilities, I received the following reply:
Allow me some time to research this further. I'm not sure if there are patches available for those two items, as they are listed in our system as product enhancements and not as bugs. I'll update you when I get more information.
I'll post back further details here as I get them, and will be doing my best to get patches issued since it seems that there are not currently any patches in existence.
UPDATE #2: After back and forth with the support team, I was able to obtain a proper patch for Magento EE 1.12.0.2. No patch was issued for Magento CE 1.7.0.2, and as far as the technician who looked into it internally for me knows, there are no plans to release an official patch for CE 1.7.x instead resolving the issues only in the upcoming CE 1.8 stable release.
As for the EE specific patch file, I cannot post it (or the patch application tool) here directly since it would most undoubtedly be in violation of NDA between Magento and myself personally and the company for which I work. The name of the relevant patch is: "PATCH_SUPEE-1513_EE_1.12.0.2_v1.sh" — If you have the Enterprise Edition or a client using it, you should be able to request this patch from the Magento support team along with a note about the CSRF vulnerabilities which it is supposed to fix.
For CE 1.7.0.2 users, I've taken the freedom to generate a patch file (based on the patch provided by Magento) which includes only the hunks of code which alter Magento CE 1.7.0.2 core code files. In normal fashion, it includes irrelevant bits of added comments and adjusted formatting along with the relevant code changes. Creating this required manually altering the original patch to apply it using the provided patch applying tool, then using git to generate a patch based on the applied changes.
The patch file which I've created can be downloaded from this gist: https://gist.github.com/davidalger/5938568
To apply the patch, first cd into the root of your Magento installation and run the following command: patch -p1 -i ./Magento_CE_1.7.0.2_v1-CSRF_Patch.diff
The EE specific patch included form key validation checks to Enterprise specific controllers, alterations to enterprise/default and enterprise/iphone template files to include form keys in the forms being used for the patched controller actions, and additional Full Page Cache funtionality to properly account for passing form keys back and forth on cached pages.
DISCLAIMER: I have NOT TESTED either the EE patch provided by Magento nor the patch I've uploaded to the linked gist. The patch provided in the referenced gist is provided with NO WARRANTY and may or may not fully resolve the vulnerabilities referenced in the CE 1.8 release notes. As an untested patch, there is also no guarantee that it functions in whole or part. I.e. use at your own risk, and take due diligence to test before deploying to a production environment. If you find issues with the patch, let me know and I'll update it.
The shoplifter tester was written before I discovered that there is a relatively easy way to fetch the admin name.
However, I haven't seen any indications of black hats actively scanning for non-standard admin names so far, based on the logs of several thousand Magento shops. So if you patch now, I wouldn't bother with extensive forensics (apart from checking for rogue users).
Clearly, this advice expires once Magento publishes a fix for the admin leak and the knowledge how to use it becomes widespread.
Best Answer
We have released the patch of Webgility Store Module. Please refer our blog for complete details. https://www.webgility.com/blog/security-vulnerability-update/