However, the most popular sites in the study were found to be far less likely to include a vulnerable library. The researchers found that only 21 percent of the top 100 Alexa sites did so.
"There are no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability."
Remediation won't be a simple task either because the vast majority of sites use libraries that are so far out of date. For example, the median lag between the oldest version on each website and the newest version is over three years.
"We observe that only very small fraction of potentially vulnerable sites -- 2.8 percent in Alexa, 1.6 percent in .com -- could become free of vulnerabilities by applying patch-level updates, ie, an update of the least significant version component, such as from 1.2.3 to 1.2.4, which would generally be expected to be backwards compatible," the researchers note.
"The vast majority of sites would need to install at least one library with a more recent major or minor version, which might necessitate additional code changes due to incompatibilities."
More on security
- This USB firewall protects against malicious device attacks
- Google Cloud unveils its custom security chip, new security features
- After CIA leaks, tech giants scramble to patch security flaws
- WikiLeaks: We will work with tech companies to fix CIA hacking holes
- Could new cloud service ease compliance headaches?
- FBI, CIA launch investigation into WikiLeaks file dump
- Google says Chrome, Android already shielded from 'many' CIA exploits