Tuesday, December 30, 2014

PHP Install Statistics

After yesterday's post, I decided to do some math to see how many PHP installs had at least 1 known security vulnerability. So I went to grab statistics from W3Techs, and correlated that with known Linux Distribution supported numbers. I then whipped up a spreadsheet and got some interesting numbers out of it. So interesting, that I need to share...

UPDATE:

Wow, this post got traction pretty fast. I started applying the same analysis to other platforms (where w3techs had data). Rather than doing a new post, I'll just like the raw data in a Google Sheet (If you want to edit, just duplicate the sheet. Everything is formula driven so update away).

So, what's the breakdown?

Platform % Installs That Are Secure
Perl 82.27%
Python 77.59%
Nginx 64.48%
Apache 61.96%
WordPress 60.45%
Drupal 45.23%
PHP 25.94%
Note that the PHP version numbers are slightly higher than in the rest of this post. This is due to adding Fedora, as well as 5.4.34 to Debian 7 support list (over-counting Debian 7 again).

What Is A Secure And Supported Version?

Well, for purposes of this analysis, we'll call versions that have no known vulnerabilities (more recent than the most recent security release) secure.

That gives us the following secure versions:

  • 5.6.4
  • 5.5.20
  • 5.4.36
We'll also count those that are maintained by Linux distributions in supported releases. For example, Debian 5.0 is no longer maintained, so the version of PHP it ships with is considered no longer supported or secure (5.2.6).

So that brings us with the following table:

Distribution Distro Version PHP Version
Debian 7 (Wheezy) 5.4.4
Debian 6 (Squeeze) 5.3.3
Ubuntu 14.10 (Utopic) 5.5.12
Ubuntu 14.04 (Trusty) 5.5.9
Ubuntu 12.04 (Precise) 5.3.10
Ubuntu 10.04 (Lucid) 5.3.2
CentOS 7.0 5.4.16
CentOS 6.6 5.3.3
CentOS 5.11 5.1.6
Now, for our purposes, we'll assume that any 5.4.4 install will be secure, since we can't distinguish Debian versions (supported) from non-Debian installs (unsupported).

This means that our "secure" numbers will be over-inflated. But let's plug it in and see what happens.

So that means our total list of secure PHP versions (with no known vulnerabilities) is:

  • 5.6.4
  • 5.5.20
  • 5.5.12
  • 5.5.9
  • 5.4.36
  • 5.4.16
  • 5.4.4
  • 5.3.10
  • 5.3.3
  • 5.3.2
  • 5.1.6

PHP 5.6

So, looking at the W3Techs numbers, we can see that 5.6 has a total adoption rate of 0.4%. This means that 0.4% of all PHP installs use 5.6.x. So let's look at the breakdown:

Version % Of Minor % Of Total Secure?
5.6.4 6.7 0.0268 Yes
5.6.3 29.1 0.1164 No
5.6.2 31.8 0.1272 No
5.6.1 5.2 0.0208 No
5.6.0 27.2 0.1088 No
So, 6.7% of all PHP 5.6 installs are running 5.6.4, and are therefore secure (since it's the only secure and maintained PHP 5.6 version).

So, correlating that to our list of secure PHP versions, we come up with the following breakdown for 5.6:

Type % Of Minor % Of Total
Secure 5.6 6.7 0.0268
Insecure 5.6 93.3 0.3732
So only 6.7% of PHP 5.6 installs are running secure versions. And only 0.0268% of all PHP installs are running a secure version of PHP 5.6...

PHP 5.5

PHP 5.5 is a bit more interesting, with a total adoption of 6%. And there are a lot more releases to look at:

Version % Of Minor % Of Total Secure?
5.5.20 3.6 0.216 Yes
5.5.19 14.2 0.852 No
5.5.18 14.2 0.852 No
5.5.17 5.6 0.336 No
5.5.16 4.5 0.27 No
5.5.15 3.3 0.198 No
5.5.14 2.9 0.174 No
5.5.13 1.8 0.108 No
5.5.12 2.7 0.162 Yes
5.5.11 2.9 0.174 No
5.5.10 1.6 0.096 No
5.5.9 30.3 1.818 Yes
5.5.8 3.2 0.192 No
5.5.7 1.4 0.084 No
5.5.6 1.1 0.066 No
5.5.5 0.6 0.036 No
5.5.4 0.5 0.03 No
5.5.3 4.3 0.258 No
5.5.2 0.1 0.006 No
5.5.1 0.6 0.036 No
5.5.0 0.6 0.036 No
Things look a bit better here.

Type % Of Minor % Of Total
Secure 5.5 36.6 2.196
Insecure 5.5 63.4 3.804
Our total increased here. 33.6% of all 5.5 installs are running secure versions. This is MUCH better than 5.6, but still horrifically low...

PHP 5.4

With PHP 5.4 we again see a huge jump in overall adoption at 26.4% of all PHP installs. So let's break it down by version:

Version % Of Minor % Of Total Secure?
5.4.36 0.9 0.2376 Yes
5.4.35 20.8 5.4912 No
5.4.34 17.4 4.5936 No
5.4.33 6.7 1.7688 No
5.4.32 5.5 1.452 No
5.4.31 4.4 1.1616 No
5.4.30 4.6 1.2144 No
5.4.29 3.5 0.924 No
5.4.28 3.1 0.8184 No
5.4.27 3.6 0.9504 No
5.4.26 2.9 0.7656 No
5.4.25 1.9 0.5016 No
5.4.24 2.7 0.7128 No
5.4.23 1.9 0.5016 No
5.4.22 1.3 0.3432 No
5.4.21 1.1 0.2904 No
5.4.20 1.2 0.3168 No
5.4.19 1 0.264 No
5.4.18 0.3 0.0792 No
5.4.17 1.2 0.3168 No
5.4.16 1.6 0.4224 Yes
5.4.15 0.3 0.0792 No
5.4.14 0.6 0.1584 No
5.4.13 0.3 0.0792 No
5.4.12 0.4 0.1056 No
5.4.11 0.4 0.1056 No
5.4.10 0.2 0.0528 No
5.4.9 0.7 0.1848 No
5.4.8 0.2 0.0528 No
5.4.7 0.4 0.1056 No
5.4.6 0.7 0.1848 No
5.4.5 0.1 0.0264 No
5.4.4 8.1 2.1384 Yes
5.4.3 0.1 0.0264 No
5.4.2 0 0 No
5.4.1 0 0 No
5.4.0 0.1 0.0264 No
Things look far more grim again here:

Type % Of Minor % Of Total
Secure 5.4 10.6 2.7984
Insecure 5.4 89.6 23.6544
Note here that the total is 100.2%. This is due to precision errors in the figures reported by W3Techs. But it shouldn't affect our overall figures.

So 89.6% of 5.4 installs are vulnerable. Yay.

PHP 5.3

Now we get to the big one. Accounting for a whopping 45.9% of all PHP installs, 5.3 hits big. So let's look at the numbers:

Version % Of Minor % Of Total Secure?
5.3.29 23.7 10.8783 No
5.3.28 15.5 7.1145 No
5.3.27 7.2 3.3048 No
5.3.26 2.4 1.1016 No
5.3.25 0.9 0.4131 No
5.3.24 1 0.459 No
5.3.23 1.5 0.6885 No
5.3.22 0.6 0.2754 No
5.3.21 0.8 0.3672 No
5.3.20 0.6 0.2754 No
5.3.19 0.8 0.3672 No
5.3.18 0.9 0.4131 No
5.3.17 1 0.459 No
5.3.16 0.5 0.2295 No
5.3.15 0.9 0.4131 No
5.3.14 0.6 0.2754 No
5.3.13 3.2 1.4688 No
5.3.12 0 0 No
5.3.11 0 0 No
5.3.10 9 4.131 Yes
5.3.9 0.3 0.1377 No
5.3.8 1.5 0.6885 No
5.3.7 0 0 No
5.3.6 1.2 0.5508 No
5.3.5 0.7 0.3213 No
5.3.4 0.1 0.0459 No
5.3.3 22.6 10.3734 Yes
5.3.2 2.3 1.0557 Yes
5.3.1 0.1 0.0459 No
5.3.0 0.1 0.0459 No
The case here is almost identical to 5.5:

Type % Of Minor % Of Total
Secure 5.3 33.9 15.5601
Insecure 5.3 66.1 30.3399
Not much else to comment on here.

PHP 5.2

Note that PHP 5.2 is not maintained by any current release of any of the 3 main distributions. Therefore, we can safely skip the version-by-version breakdown and jump right to the conclusion:

Type % Of Minor % Of Total
Secure 5.2 0 0
Insecure 5.2 100 20.1

PHP 5.1

PHP 5.1 accounts for 1.2% of all PHP installs. So let's break it down:

Version % Of Minor % Of Total Secure?
5.1.6 94.8 1.1376 Yes
5.1.5 0.2 0.0024 No
5.1.4 1.4 0.0168 No
5.1.3 0 0 No
5.1.2 3.1 0.0372 No
5.1.1 0.4 0.0048 No
5.1.0 0 0 No
And totaling:

Type % Of Minor % Of Total
Secure 5.1 94.8 1.1376
Insecure 5.1 5.2 0.0624
So the situation here is actually quite good, with 94.8% of all 5.1 installs being secure.

But it's 5.1...

Totalling It Up:

Let's sum up all of the total columns:

Type % Of Total
Secure 21.71
Insecure 78.27
These numbers are optimistic. That's because we're counting all version numbers that are maintained by a distribution as secure, even though not all installs of that version number are going to be from a distribution. Just because 5.3.3 is maintained by CentOS and Debian doesn't mean that every install of 5.3.3 is maintained. There will be a small percentage of installs that are from-source.

Therefore, the real "secure" number is going to be less than quoted.

Additionally, it also assumes that the distribution installs are always updated. So just because you're running Debian's 5.3.3 doesn't mean you've got all of the latest patches and updates for it.

So 21.71% is an upper bound on the number of secure installs.

This Is Pathetic

This is absolutely and unequivocally pathetic. This means that over 78% of all PHP installs have at least one known security vulnerability. Pathetic.

Check your installed versions. Push for people to update. Don't accept "if it works, don't fix it."... You have the power to change this, so change it.

Security is everyone's problem. What matters is how you deal with it.