Image: Northeastern University
As the Northeastern researchers highlight in a new paper, vulnerable libraries can be dangerous under the right conditions, pointing to an old cross-site scripting bug in jQuery, which will allow an attacker to inject malicious scripts into a vulnerable site.
They looked at domains from Amazon's Alexa Top 75,000 list and 75,000 randomly selected .com domains, assessing 72 different libraries and their respective versions. Overall, 87 percent of the Alexa sites and 46.5 percent of the .com sites use one of the 72 libraries.
The study found that "36.7 percent of jQuery, 40.1 percent of Angular, 86.6 percent of Handlebars, and 87.3 percent of YUI inclusions use a vulnerable version." Additionally, 9.7 percent of the sites in the study use two or more vulnerable library versions.
However, the most popular sites in the study were found to be far less likely to include a vulnerable library. The researchers found that only 21 percent of the top 100 Alexa sites did so.
"There are no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability."
Remediation won't be a simple task either because the vast majority of sites use libraries that are so far out of date. For example, the median lag between the oldest version on each website and the newest version is over three years.
"We observe that only very small fraction of potentially vulnerable sites -- 2.8 percent in Alexa, 1.6 percent in .com -- could become free of vulnerabilities by applying patch-level updates, ie, an update of the least significant version component, such as from 1.2.3 to 1.2.4, which would generally be expected to be backwards compatible," the researchers note.
"The vast majority of sites would need to install at least one library with a more recent major or minor version, which might necessitate additional code changes due to incompatibilities."