The recent disclosure of new vulnerabilities in Joomla highlights the attractiveness to hackers of vulnerabilities in popular open source projects. Open source has characteristics that make it a compelling target for several reasons:
- Open source software, such as Joomla, is widely used by organizations across multiple vertical markets. From an attacker’s point of view, vulnerabilities in Joomla represent a target-rich environment.
- Vulnerabilities such as this are publicly disclosed, and therefore provide attackers with targets and, often, exploits. As seen in the CSO article, the response time from attackers is quick; they recognize and attempt to exploit a window of opportunity prior to users upgrading to a patched version of Joomla.
- This urgency is understandable, but not always required for attackers to succeed. Because open source typically has a “pull” support model (users are required to monitor open source projects for updates, as opposed to the “push” model in commercial software), many organizations will not be aware of the vulnerability, or prioritize upgrading their Joomla sites. In most cases, vulnerabilities in open source remain exploitable for months. Verizon’s 2015 Data Breach Investigation Report found that "99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published."
Unlike a closed source application such as those built by Microsoft, there's no Patch Tuesday sending out push updates for security vulnerabilities, putting responsibility for updating components on users.
What can we do? The first step is to understand what open source applications and components are used in our environments. Next, we need to understand the “hygiene” of those components in terms of reported vulnerabilities. Finally, recognizing the “pull” support model of open source, we need to continuously monitor the threat environment for new vulnerabilities, and map those to the open source we use.
Open source adds tremendous value to organizations. However, it pays to be conscious of the risk it can pose, and take appropriate steps to mitigate that risk.