Google to notify webmasters of vulnerable software
The search engine giant said Thursday that it will alert site owners if they are running content management systems (CMS) or other publishing software that contains a security vulnerability, according to Google's Webmaster Central Blog.
However, only site owners who have signed up for Google's Webmaster Tools, designed to improve a site's search ranking, will be eligible to receive the alerts, the blog said.
Google plans to start the program in a test phase, sending out 5,000 to 6,000 messages to webmasters who may be running out-of-date versions of WordPress, a popular blogging platform.
"There's been a recent trend of spammers hacking websites, and most of the time that happens because the webmaster or site owner didn't update a piece of software that runs their website," Matt Kutts, a Google software engineer, wrote Thursday on his personal blog. "If you think you can install a piece of software on the web in 2008 and run it forever without upgrading, I'm sorry to say that your website will be at a much higher risk of getting hacked."
Experts have said hackers infiltrate these legitimate sites to embed URLs that point to their own malicious or spam sites. That way, they can improve search-engine rankings.
Publishing software is often riddled with vulnerabilities because it is built for companies that are inexperienced in coding and that want a third-party platform they can customize to suit their own needs, Francesco Benedini, a malware researcher at anti-spyware firm Sunbelt Software, said on Friday.
"One thing that could happen is the malicious users, if they determine you are running a vulnerable CMS, they can run an automatic exploit," he told SCMagazineUS.com. "They can, for instance, insert a redirection to a malicious site or insert malicious content."
What Google can't help webmasters defend against are poorly coded sites that are vulnerable to attacks such as cross-site scripting and SQL injection, Benedini said. For defense against this, owners are encouraged to conduct a complete code review, he said.
"If you have some custom created page in PHP or ASP (two server-side scripting languages), it's not going to do anything," Benedini said of the Google initiative. "It just determines if this CMS software [you are running] is vulnerable based on the version."