Unplanned Obsolescence: Analysis of Outdated Software Usage in Production Environments
Abstract
The advance of computing has expanded attack surfaces, creating new targets for criminals to exploit known and unpatched vulnerabilities. It is essential to frequently provide system maintenance and updates, but the lack of good practices exposes users to avoidable risks. Reports indicate that 76% of ransomware attacks in 2022 exploited known vulnerabilities. In this article, we investigate the issue of outdated software in organizations, based on data from over 129 million activity records of 23,000 users in 567 organizations. Our contributions include a regionalized analysis of software obsolescence, lessons for prioritizing preventive policies, and the availability of anonymized data for future studies in the field.References
Adobe Security Bulletin (2023). Security updates available for adobe coldfusion | apsb2325. [link].
Bellissimo, A., Burgess, J., and Fu, K. (2006). Secure software updates: Disappointments and new challenges. In First USENIX Workshop on Hot Topics in Security (HotSec 06), Vancouver, B.C. Canada. USENIX Association.
CERT.br (2024). Serviços vulneráveis. [link].
Fan, R. (2023). Brasil é o país com o maior volume e dados expostos no mundo. [link].
Federal Trade Comission (2022). Equifax data breach settlement. [link]. Acessado em Junho de 2024.
Garcia, D. (2023). Ticking time bombs: The danger of outdated software in the cybersecurity landscape. [link]. Accessed: 2024-06-07.
Jenkins, A. D. G., Liu, L., Wolters, M. K., and Vaniea, K. (2024). Not as easy as just update: Survey of system administrators and patching behaviours. In Proceedings of the CHI Conference on Human Factors in Computing Systems, CHI ’24, New York, NY, USA. Association for Computing Machinery.
Jones, C. (2023). Cisa details twin attacks on federal servers via unpatched coldfusion flaw. [link].
Kerner, S. M. (2017). Wannacry ransomware attack hits victims with microsoft smb exploit. [link]. Acessado em Junho de 2024.
Li, F., Rogers, L., Mathur, A., Malkin, N., and Chetty, M. (2019). Keepers of the machines: examining how system administrators manage software updates. In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, SOUPS’19, page 273–288, USA. USENIX Association.
Martius, F. and Tiefenau, C. (2020). What does this update do to my systems? – an analysis of the importance of update-related information to system administrators. In USENIX Symposium on Usable Privacy and Security (SOUPS), Virtual Conference. USENIX Association.
National Vulnerability Database (2024). Common vulnerabilities and exposures program. [link].
NIST (2023). Cve-2023-26360 - adobe coldfusion deserialization of untrusted data vulnerability. [link].
Securin, CSW, Ivanti, and Cyware (2023). Ransomware report. [link].
Security ScoreCard (2024). Cvedetails. [link].
Wash, R., Rader, E., Vaniea, K., and Rizor, M. (2014). Out of the loop: how automated software updates cause unintended security consequences. In Proceedings of the Tenth USENIX Conference on Usable Privacy and Security, SOUPS ’14, page 89–104, USA. USENIX Association.
Bellissimo, A., Burgess, J., and Fu, K. (2006). Secure software updates: Disappointments and new challenges. In First USENIX Workshop on Hot Topics in Security (HotSec 06), Vancouver, B.C. Canada. USENIX Association.
CERT.br (2024). Serviços vulneráveis. [link].
Fan, R. (2023). Brasil é o país com o maior volume e dados expostos no mundo. [link].
Federal Trade Comission (2022). Equifax data breach settlement. [link]. Acessado em Junho de 2024.
Garcia, D. (2023). Ticking time bombs: The danger of outdated software in the cybersecurity landscape. [link]. Accessed: 2024-06-07.
Jenkins, A. D. G., Liu, L., Wolters, M. K., and Vaniea, K. (2024). Not as easy as just update: Survey of system administrators and patching behaviours. In Proceedings of the CHI Conference on Human Factors in Computing Systems, CHI ’24, New York, NY, USA. Association for Computing Machinery.
Jones, C. (2023). Cisa details twin attacks on federal servers via unpatched coldfusion flaw. [link].
Kerner, S. M. (2017). Wannacry ransomware attack hits victims with microsoft smb exploit. [link]. Acessado em Junho de 2024.
Li, F., Rogers, L., Mathur, A., Malkin, N., and Chetty, M. (2019). Keepers of the machines: examining how system administrators manage software updates. In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, SOUPS’19, page 273–288, USA. USENIX Association.
Martius, F. and Tiefenau, C. (2020). What does this update do to my systems? – an analysis of the importance of update-related information to system administrators. In USENIX Symposium on Usable Privacy and Security (SOUPS), Virtual Conference. USENIX Association.
National Vulnerability Database (2024). Common vulnerabilities and exposures program. [link].
NIST (2023). Cve-2023-26360 - adobe coldfusion deserialization of untrusted data vulnerability. [link].
Securin, CSW, Ivanti, and Cyware (2023). Ransomware report. [link].
Security ScoreCard (2024). Cvedetails. [link].
Wash, R., Rader, E., Vaniea, K., and Rizor, M. (2014). Out of the loop: how automated software updates cause unintended security consequences. In Proceedings of the Tenth USENIX Conference on Usable Privacy and Security, SOUPS ’14, page 89–104, USA. USENIX Association.
Published
2024-09-16
How to Cite
KUJAVSKI, Luan Marko; PENTEADO, Ulisses; ALMEIDA, Paulo Lisboa de; GRÉGIO, André.
Unplanned Obsolescence: Analysis of Outdated Software Usage in Production Environments. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 508-521.
DOI: https://doi.org/10.5753/sbseg.2024.241435.
