OWASP Top 10 2013 – A9 – Using Components with Known Vulnerabilities

> I didn’t even know we had this old thing!

You know, keeping things up to date is something you pretty much have to do, but the web doesn’t really make it easy. There’s a plethora of things to remember to patch: the proxies, the web server, the web application, any dependencies, and even the front-end libraries themselves! How often do you update your version of jQuery?

There are two distinctly different types of using vulnerable components:
1. Using something that is vulnerable
2. Using something that is end of life

Deceased software

While something that is “end of life” doesn’t mean that it actually is vulnerable – it usually does – though you’ll be out in the cold in case something happens. Some kid discovers the next big vulnerability against Framework Buzzword, and you have no patch coming.

End of life simply means that the company, vendor, or developer who makes the software will no longer maintain it with security updates.

A note on open source projects
Larger projects will most likely keep an up-to-date list with whatever versions and branches they’re supporting, smaller ones might not. Projects on for example GitHub might not have an active community, a low level of support, and no guarantee when it comes to maintenance. For these types of projects, declaring the end of life is hard. In the end, you will have to accept responsibility for applying patches yourself or having a contingency plan in case something happens.

Danger ahead – vulnerable software in use

Though, obviously, software doesn’t have to be end of life to be vulnerable. Sometimes running an out of date version can be dangerous, depending on the associated vulnerabilities.

So what does that mean? Well, simply put, the community keeps track of and share knowledge on software vulnerabilities. Sometimes the specifics are disclosed (perhaps together with a demo), meaning that anyone with some technical know-how could go ahead and exploit anything running that software. Though sometimes only the fact that there is *something* wrong is disclosed.

How to disclose vulnerabilities is a completely different topic.

So what, no one knows if we’re running this and this version!

Wrong. The internet knows.

There are huge searchable databases that can be used to find services and applications running this and this version of that and that software. You could even use Google (with some limitations)!

Okay. Fair enough. But who would attack us?

Probably someone with nothing better to do, depending on the vulnerability. As time goes on, the likelihood of someone building a utility to automatically exploit the vulnerability increases. And when there is a tool for it, anyone (even a twelve-year-old) could use it – no skill required.

> Damn script kiddies.

So to summarise, the final thoughts:
A. Update your software, dependencies, components, whatever
B. Plan to migrate or upgrade from soon-to-be abandoned software

Leave a Reply

Your email address will not be published.