Half of the third-party components used in software applications are outdated, exposing them to exploits, according to a major new study from Synopsys.
The software firm analyzed over 128,000 applications to compile its latest report, The State of Software Composition 2017.
It identified 16,868 unique versions of open source and commercial software components containing almost 10,000 new security flaws.
Nearly half (45%) of the third-party components it studied were over four years old, meaning there were newer and more secure versions available.
The report covered software in a variety of environments: mobile, desktop and web applications, and firmware and embedded software from a range of industries.
“Over time, vulnerabilities in third-party components are discovered and disclosed, leaving a previously secure software package open to exploits,” explained Andreas Kuehlmann, senior vice-president and general manager for the Synopsys Software Integrity Group.
“The message to the software industry should not be whether to use open source software, but whether you are vigilant about keeping it updated to prevent attacks.”
Surprisingly, the Heartbleed bug appeared in the top 50% of all CVEs observed, despite a patch having been available since 2014.
In addition, the report revealed that the oldest CVE dates back as far as to 1999.
The top 10 most common software components with outdated versions still being used more than 90 percent of the time include: Curl, Dropbear, Expat, libjpeg-turbo, libjpeg, libpng Linux Kernal, Lua, OpenSSL and Pcre.
Robert Vamosi, security strategist at Synopsys, said the report’s findings should serve as a wake-up call to the industry, not least given the impact WannaCry had exploiting known vulnerabilities last month.
“The update process does not end at the time of software release, and an ongoing pattern of software updates must be implemented throughout the product lifecycle,” he added.
“As new CVEs are disclosed against open source software components, developers need to know whether their products are affected, and organizations need to prevent the exploit of vulnerabilities with the latest versions when they become available.”