Based on cleaning up many hacked websites we know what are the things that are likely to lead to a website being hacked and therefore what needs to be done to protect them from hackers. One of those in keeping the software running on the website up to date, as this prevents known vulnerabilities in older versions from being exploited (like the privilege escalation vulnerability in older versions of Joomla that we have been seeing exploited recently). Unfortunately, what we see is that many websites are not being kept up to date. What is more troubling is that security companies, which you would expect to lead when it comes to handling security, are not bothering to keep the software running their websites up to date. Last week we posted for the second time about a Kaspersky Lab website that was running outdated software, this time the website of their security news website Threatpost. They haven’t been alone, a couple of years we looked at the poor state of security of Panda Labs’ websites after they had been hacked. This week we can add ESET to the list of security companies who are taking the basic security measure of keeping the software on their websites up to date.
Let’s start with their news website, We Live Security, which they promote as being about “research and information”. If you are going to be providing others with information on security it doesn’t seem unreasonable to expect that you are taking basic security measures yourself. This doesn’t seem to something ESET believes in as the website is running on an outdated version of WordPress:
They haven’t missed any security updates yet so that isn’t as bad as it could be, but the version is five months out of date. In the source code of the website’s pages it can be seen that they are using version 1.4.7 of the Yoast WordPress SEO plugin, which is nine months out of date. The more recent version 1.5.0 “contains tons and tons of bugfixes and security improvements“, so the plugin definitely should have been updated by now.
More of a problem is the website for ESET Virus Radar. If you are using our Drupal Version Check web browser extension you can see they are running an outdated version of Drupal on the website:
Digging a bit further we were able to determine that the website is running Drupal 7.22. That version is seven months out of date are there have been two subsequent updates – 7.24 and 7.26 – with fixes for security vulnerabilities.