Today’s WWW is built on pillars of sand: Buggy, exploitable JavaScript libs are everywhere

[Note: This item comes from friend David Rosenthal. DLH]

Today’s WWW is built on pillars of sand: Buggy, exploitable JavaScript libs are everywhere
Your dependencies are not dependable
By Thomas Claburn
Mar 14 2017

The web has a security problem: code libraries. Almost 88 per cent of the top 75,000 websites and 47 per cent of .com websites rely on at least one vulnerable JavaScript library.

As described in a recently published paper, “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web,” researchers from Northeastern University in Boston, Massachusetts, have found that many websites rely widely on insecure versions of JavaScript libraries and that there’s no immediate way to eliminate this problem.

The web is full of JavaScript, the most popular development technology outside of the mobile world, at least by Stack Overflow’s measure. “Notorious for security vulnerabilities,” as the paper’s six authors put it, JavaScript has come to depend on a wide variety of libraries that extend its capabilities, such as jQuery, Angular, and Bootstrap.

These libraries simplify common development patterns like manipulating HTML page elements, providing application structure, and simplifying user interface construction.

Unfortunately, JavaScript libraries may not be kept up-to-date and there’s no agreed-upon system for ensuring that web apps don’t load vulnerable library code.

The researchers looked at 75,000 of the top Alexa-ranked websites and at 75,000 randomly chosen .com websites. They found at least 36.7 per cent of jQuery, 40.1 per cent of Angular, 86.6 per cent of Handlebars, and 87.3 per cent of YUI (the discontinued Yahoo! User Interface Library) implementations employ a vulnerable version.

“Alarmingly, many sites continue to rely on libraries like YUI and SWFObject that are no longer maintained,” the paper says. “In fact, the median website in our dataset is using a library version 1,177 days older than the newest release, which explains why so many vulnerable libraries tend to linger on the web.”

To make matters worse, many websites include multiple versions of libraries, thereby increasing the potential for vulnerabilities. And third-party modules that implement advertising, tracking, or social media functions may come with embedded JavaScript that loads more libraries, any of which could be out of date.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s