N. Demir, K. Wittek, N. Pohlmann, T. Urban : (Institut für Internet-Sicherheit)
“Our (in)Secure Web: Understanding Update Behavior of Websites and Its Impact on Security”,
In Proceedings of the Passive and Active Measurement Conference 2021.
Software updates take an essential role in keeping IT environments secure. If service providers delay or do not install updates, it can cause unwanted security implications for their environments. This paper conducts a large-scale measurement study of the update behavior of websites and their utilized software stacks. Across 18 months, we analyze over 5.6M websites and 246 distinct client- and server-side software distributions. We found that almost all analyzed sites use outdated software.
To understand the possible security implications of outdated software, we analyze the potential vulnerabilities that affect the utilized software. We show that software components are getting older and more vulnerable
because they are not updated. We find that 95 % of the analyzed websites
use at least one product for which a vulnerability existed.
Nowadays, we use the Web for various tasks and services (e.g., talking to our friends, sharing ideas, to be entertained, or to work). Naturally, these services process a lot of personal and valuable data, which needs to be protected. Therefore, web services need to be hardened against adversaries, for example, due to imperfections of software. An essential role in every application’s security concept is the updating process of the used components. Not updating software might have severe security implications. For example, the infamous Equifax data breach
that affected 143 million people was possible because the company used software with a known vulnerability that has already been fixed in a newer version.
However, keeping software up to date is not always easy and, from the security perspective, not always necessary (i.e., not every update fixes a security issue).
Modern applications require a variety of different technologies (e.g., libraries, web servers, databases, etc.) to operate. Updating one of these technologies might have unforeseeable effects and, therefore, updates might create potentially high overhead (e.g., if an update removes support of a used feature). More specifically, service providers might object to install an update because they do not directly profit from the new features (e.g., changes in an unused module). Hence, it is reasonable not always to install every available update (e.g., to ensure stability).
In this work, we show that this challenge can have grave implications. To
understand how up to date the utilized software on the Web is and to understand its possible security implications, we conduct a large-scale measurement. Previous work also analyzed update behavior on the Web but – to the best of our knowledge – our measurement is more comprehensive than the previous studies. While we analyze over 5.6M sites and nearly 250 software (SW) products, other work in this field often only analyzed one specific type of software or a small subset. Therefore, our results are more generalizable and provide a better overview of the scale of the problem.
To summarize, we make the following contributions:
- We conduct a large-scale measurement that evaluates 246 software products used on 5.6M websites over a period of 18 months, to determine update behavior and security impact of not updating.
- We show that 96 % of the analyzed websites run outdated software, which is often more than four years old and is getting even older since no update is applied.
- We show that a vast majority of the analyzed websites (95 %) use software for which vulnerabilities have been reported, and the number of vulnerable websites is increasing over time.