Many Apache websites running old, vulnerable software

Summary:According to Netcraft, which surveys publicly-accessible web servers, millions of websites still appear to be using vulnerable versions of Apache, including versions which are no longer supported.

Very few Apache web servers are running the current, fully-patched version of the software, according to research by Netcraft. Some very popular sites are running very old, vulnerable and unsupported versions.

Netcraft is known most for their continuous surveys of publicly-accessible web servers on the Internet. Apache's share of such servers has been taking a nosedive over the last two years, according to the latest report on that survey, although it still dominates among active sites and the busiest sites, where Apache runs more than 50% of those surveyed.

The latest version of the Apache Stable Release is 2.4.7, released November 25, 2013. Very few sites are running this version. In fact, less than 1 percent of sites are reporting that they run any version in the 2.4 branch, despite Apache urging users to do so. In fact, Apache servers are overwhelmingly running the "Legacy Release," i.e. the 2.2 branch, the latest version of which is 2.2.26, released November 18, 2013.

Netcraft.most.popular.apache.versions

Even version 1.3.x, at roughly 6 million sites, is far more popular than the Stable Release. The most popular such site is Weather Underground, which runs Apache 1.3.42. Weather Underground has an Alexa ranking of 172 in the US and 615 worldwide, so it's a very popular site.

As Netcraft notes, over half of Apache web sites hide the version number, although further tests may indicate the version. By the same token, some servers with a vulnerable version number may not be vulnerable to some of that version's flaws; for example, Red Hat Linux provides a backporting feature by which fixes for later versions may be applied to an earlier version.

But, as best as we can tell, the 2.2.x branch is dominant. It is still distributed by many third parties, such as Red Hat. And many sites for which security is a prominent concern, such as OpenSSL, run old versions. OpenSSL.org runs Apache 2.2.22 on Ubuntu Linux.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.