In Heartbleed's wake, let's not forget many open-source apps remain vulnerable to attacks

Summary:Over 46 million Java-based open-source components containing known security flaws and vulnerabilities were downloaded in 2013, according to the latest research.

heartbleed
Image via CNET

The wounds caused by Heartbleed remain at the front of many minds, just a few weeks after a bug in the OpenSSL cryptographic library threatened to throw the world's Internet population under the bus.

The flaw could have allowed hackers to reveal contents of secured communications — such as passwords and credit card transactions. But to make matters worse, the fears around the flaw were only compounded when another separate vulnerability was found, this time in OAuth and OpenID, a few weeks later.

According to one researcher, that's far from being the end of the matter.

Many millions of Java-based and other open-source applications are vulnerable to flaws that have been around for, in some cases, years, he warned. And even up to today, they are being downloaded

Sonatype's Brian Fox penned a note on Wednesday with his "jaw hanging open," explaining that although many projects typically respond and patch vulnerabilities quickly, the issue is that "users don't respond as quickly to consume the fixes." 

"Given that attackers are notified via the same mechanism that a vulnerability has been found and fixed, they effectively have first mover advantage because it's generally easier to exploit than it is to update your application framework," he wrote.

In a few given examples, hundreds of thousands of affected versions of commonly used and highly popular Java-based apps were downloaded by tens of thousands of organizations.

He said affected versions of Struts, a widely used application framework, were downloaded more than 80,500 times from more than 10,000 organizations in the nine months a major remote code execution flaw was disclosed.

Meanwhile, although Bouncy Castle remains the most popular white-room implementation of cryptographic algorithms in Java, a version that contained a vulnerability that allowed an attacker to compromise encrypted data was downloaded more than 20,000 times in the five years after the flaw was disclosed. More than 4,000 organizations are said to be running an affected version.

"This essentially makes the thing you intended to encrypt completely open," he said.

Heartbleed may give IT organization leads the shivers and cold sweats, but Fox warned that many other open-source apps are not being updated as quickly as they should be. 

That, he hinted, could lead to the next Heartbleed-style attack of scope and potential damage.

2014-05-07-Article-4Components
Image: Sonatype

Topics: Security, Open Source

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.