One-Fifth of Scanned Sites Have Vulnerabilities, Menlo Security Finds
Stealth vendor Menlo Security scanned 750,000 Web domains and found many with known vulnerabilities.More than one-fifth (21 percent) of sites have known vulnerabilities, including Web server and PHP issues, according to Menlo Security's State of the Web March 2015 study that scanned 750,000 unique domains. "The home page of each of the 750,000 domains in the Alexa 1 million [Alexa's top 1 million Websites] was visited once," Kowsik Guruswamy, CTO of Menlo Security, told eWEEK. "This was not an active scan against a single site to crawl the various pages; it was a single page load through a browser that also fetched all of the assets from CDNs [content delivery networks], iframes ad networks, etc." Looking into the data, Guruswamy said that the breakdown of vulnerable software shows that 10 percent of scanned sites were running a vulnerable version of PHP, where "vulnerable" means the site was running any of the versions of PHP that show at least one outstanding vulnerability in the CVE database. PHP is an open-source language that is commonly deployed on Web server infrastructure and used by many content management systems (CMSes), including WordPress, Drupal and Joomla. Vulnerable Web server software was also common, with 4 percent of sites running a vulnerable version of Apache HTTP and 4 percent running a vulnerable version of Microsoft Internet Information Services (IIS).
The risk of older unpatched software is an issue that other vendors have been pointing out in recent months. Hewlett-Packard's 2015 Cyber Risk report published on Feb. 23 found that 44 percent of breaches could be attributed to patched vulnerabilities that were between two and four years old.