tag:blogger.com,1999:blog-4503292949532760618.post4979511057201024240..comments2024-03-28T13:39:27.601-07:00Comments on DSHR's Blog: Scary Monsters Under The BedDavid.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-4503292949532760618.post-80641709128918261292017-03-14T10:17:50.956-07:002017-03-14T10:17:50.956-07:00The impracticality of excluding malware from digit...The impracticality of excluding malware from digital collections is emphasized by Tobias Lauinger <i>et al</i>'s <a href="http://dx.doi.org/10.14722/ndss.2017.23414" rel="nofollow"><i>Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web</i></a> (also <a href="http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf" rel="nofollow">here</a>). They report:<br /><br />"97% of ALEXA sites and 83.6% of COM sites contain JavaScript."<br /><br />and:<br /><br />"ALEXA and COM crawls contain a median of 24 and 9 inline scripts, respectively, with 5% of the sites having hundreds of inline scripts — the maximum observed was 19K and 25K."<br /><br />and:<br /><br />"we detect at least one of our 72 target libraries on 87.7% of all ALEXA sites and 46.5% of all sites in COM"<br /><br />and:<br /><br />"Overall, we find that 37.8% of [ALEXA] sites use at least one library version that we know to be vulnerable, and 9.7% use two or more different vulnerable library versions (COM ... 37.4% and 4.1%)."<br /><br />and:<br /><br />"To characterise lag from a per-site point of view, we calculate the maximum lag of all inclusions on each site and find that 61.4% of ALEXA sites are at least one patch version behind on one of their included libraries (COM: 46.2%). Similarly, the median ALEXA site uses a version released 1,177 days (COM: 1,476 days) before the newest available release of the library."<br /><br />So Web archives are full of really old, really vulnerable JavaScript.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.com