When it comes to improving the security websites one of the biggest problems we see is that there is so much bad information available on the Internet, especially the information coming from companies trying to sell security products and services. We would hope that news organizations would provide the public with a source for better information, but most of the security reporting we see in technology news websites is just as bad as anywhere else. Their lack of security knowledge also impacts their own websites as we see that they are not taking basic security measures with their websites and therefore leaving them vulnerable.
We found three prominent technology news websites that are running very out of date versions of the Drupal software. Keeping software up to date on a website prevents known vulnerability being exploited and we have found that when vulnerabilities in website software are exploited it almost always due to a vulnerability that has already been patched in a newer release of the software.
Network World is in much worse shape than the other two organizations as they are using Drupal 5, for which support ended back at the beginning of 2011. They haven’t even bothered to at least make sure they are running the most recent version of Drupal 5. In fact they haven’t updated it in over four and half years – the next version was released in January of 2009 – and they missed the last nine security releases for Drupal 5.