While keeping the software running a website up to date is a basic security measure, as it prevents the website from being exploited due to a known vulnerability in outdated versions of the software, we continue to see that the software isn’t being kept up to date. Our recent look at the stats of our tools for checking web software versions showed that a large percentage of websites checked were running outdated versions of Joomla, WordPress, and MediaWiki. Even websites that you would expect would be taking security seriously are failing to keep the software up to date. We recently looked at companies offering to clean up hacked Joomla websites and found that they were not keeping the software running their websites up to date. All of those companies are rather small, so what about higher profile organizations? The examples below show that even they are failing to do this basic task.
Threatpost
Threatpost is a security news website run by Kaspersky Lab, a major provider of security software. If you visit their website with our Server Details web browser extension you will be warned that the website is using outdated software. Clicking on the icon for the extension will let you know that they are using an outdated version of the nginx web server software:
The next version in 0.7 series of nginx was released in June of 2010 and the last release in the series was released in July of 2011. There have been two security vulnerabilities discovered – and resolved in newer versions of nginx – that impact the version being used, the older one being disclosed in November of 2011.
This isn’t an isolated issue at Kaspersky, in April of last year we posted about the fact that their US website was running an outdated version of Drupal. They are still are running the same outdated version, which is now over four years out of date.
University of Cambridge
The website for the University of Cambridge is running an outdated version of Drupal, with at least one security update missed:
The university’s computer science department has a Security Group, which you would expect would want to make sure that the university’s websites is being kept secure, but at this point they are not even doing for their own blog. Their Light Blue Touchpaper research blog is running a very out of date version of WordPress:
That version of WordPress is over three and half years out of date and nine subsequent releases have included security updates.