© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

95% of websites run on outdated software with known vulnerabilities


If you’ve been smashing that 'Remind me tomorrow' button for months, it looks like you’re not the only one. To put it very, very mildly.

Keeping your software up to date is the mother of all security basics. Ask any security expert and they’ll tell you that running your website on outdated tech is a pretty bad idea: unpatched security holes can allow attackers to access or inject malware into your system - all without making them work for it.

Unfortunately, it seems that the common-sense practice of keeping software up to date is not that common, according to a new study conducted by a group of researchers from the Institute for Internet Security at the Westphalian University of Applied Sciences.

Over a period of 18 months, the researchers led by Nurullah Demir, Tobias Urban and others, analyzed 246 client- and server-side software products used across more than 5.6 million websites. 

They set off to understand how websites handled their software updates by looking at the versions and release dates of the 246 software products used by the websites. The researchers then mapped them against 147,312 known vulnerabilities from the National Vulnerability Database (NVD).

The study found that almost all websites use at least one outdated software product, making them potentially susceptible to a host of known vulnerabilities. 

In fact, only 6% of websites run on software that is fully up to date, while a whopping 47% let their entire software catalog go out of date.

"Overall, we found an exploitable vulnerability for 148 (60%) of the analyzed software products,” state the researchers. Shockingly, these vulnerable software products were used by 95% of analyzed websites. Not only that, the researchers learned that the number of vulnerable websites is “only increasing over time” as some of the websites keep postponing updates, which only makes the number of vulnerabilities accumulate. 

Besides the fact that there’s a 95% chance of any website you visit being vulnerable to attacks, here are some of the other notable (read: horrifying) results of the study:

  • The average software product is about 48 months behind the latest patch.
  • 92% of websites are potentially vulnerable to cross-site scripting (XSS) attacks.
  • On average, each analyzed software product had 8 vulnerabilities. 
  • The average website is potentially affected by 29 vulnerabilities.

The cost of running old software

Granted, keeping a diverse ecosystem of complex technologies up to date - while ensuring that everything keeps functioning as a whole - is not as easy as it might sound. In many cases, websites combine different, perpetually evolving technologies with different release cycles, which can make keeping an eye on each and every security update a real challenge. 

However, if left unpatched, even a single vulnerable component can compromise the entire system. “Web applications are commonly composed of different modules that rely on each other to perform a given task. Hence, one vulnerability in any of these modules might undermine the security of the entire web app, depending on the severity of the vulnerability,” states the report.

While the findings of the report might seem rather grim, the silver lining is that the solution to most of these problems is quite simple, if not necessarily easy. Yes, keeping all of your software up to date might be time-consuming. But with the average cost of a cyberattack sitting at $2.6 million, it’s certainly worth it.

More great CyberNews stories:

Android apps are asking for too many dangerous permissions. Here’s how we know

The ‘1977 trinity’ and other era-defining PCs

The birth of the Artificial Intelligence of Things

Scientists are excited about taking the quantum leap

Clubhouse’s privacy problem: your data may be going to China

Subscribe to our monthly newsletter

Leave a Reply

Your email address will not be published. Required fields are marked