Software flaws, delayed patching reign so far this year

Powered by SC Magazine
 

2010 is on pace to become a record-setting year for software vulnerabilities.

Third-party programs, such as Adobe Reader and Mozilla Firefox, are responsible for the steady increase in the number of software vulnerabilities affecting computer users, according to a new report released Monday by Secunia.

The Danish firm, which tracks software flaws, determined that the total number of vulnerabilities affecting a typical end-user is expected to reach 760 this year, up from 220 three years ago. Through the first half of this year, the total number of bugs facing an average user already has reached 380, nearly 90 percent of the total from all of last year.

The precipitous rise in vulnerabilities is attributable to researchers and criminals upping their focus on third-party applications.

"Data from the first half of 2010 shows that third-party program vulnerabilities are the primary risk factor for typical end-user PCs," the report said. "From an attacker's perspective, targeting third-party programs proves to be a rewarding path, and will probably remain so for an extended period of time."

The reason why is that many users fail to update these applications, the report said. Either they ignore these applications because they do not consider them viable attack vectors, or the programs do not come equipped with sufficient update mechanisms.

"The bad guys started out attacking operating systems and services on servers that were exposed," Brad Arkin, director of product security and privacy at Adobe, told SCMagazineUS.com on Monday. "Now those attacks have been moving up the stack. We definitely see the bad guys putting more attention on those third-party products."

Aside from companies such as Microsoft, Google, Mozilla and Adobe, most manufacturers leave all the work up to the end-user, the report said. In many cases, these companies lack the resources to harden their code or provide a robust auto-update feature.

"It appears that most vendors do not take significant steps to secure their users and customers before active exploitation take place on a larger scale where it starts to threaten the overall reputation of the business," the report said.

"The lack of effective updating mechanisms expose end-users to significant risks, as vulnerable software tends to 'survive' for a long time before being updated for other reasons than security, thus leaving the user exposed for prolonged periods of time and providing criminals ample time to exploit the vulnerabilities."

Mozilla Firefox, Apple Safari, Sun Java, Google Chrome and Adobe Reader were the top five programs responsible for software vulnerabilities between June 2009 and June 2010 based on number of known vulnerabilities.

The report said organisations must grasp the danger that third-party applications pose. In addition, Secunia called on the security software industry to create technology that allows users to install security updates across a wide array of third-party programs.

Adobe's Arkin said the report underscores the importance of staying up to date. In April, the company officially released its new automatic updater tool.

"The vast majority of attacks in the wild are going after vulnerabilities in products that are known and patched in the most recent version of the software," he said. "If the user can stay up to date, they're going to be defended against those types of attacks."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1461

Vote