Software flaws, delayed patching reign so far this year

Powered by SC Magazine
 

2010 is on pace to become a record-setting year for software vulnerabilities.

Third-party programs, such as Adobe Reader and Mozilla Firefox, are responsible for the steady increase in the number of software vulnerabilities affecting computer users, according to a new report released Monday by Secunia.

The Danish firm, which tracks software flaws, determined that the total number of vulnerabilities affecting a typical end-user is expected to reach 760 this year, up from 220 three years ago. Through the first half of this year, the total number of bugs facing an average user already has reached 380, nearly 90 percent of the total from all of last year.

The precipitous rise in vulnerabilities is attributable to researchers and criminals upping their focus on third-party applications.

"Data from the first half of 2010 shows that third-party program vulnerabilities are the primary risk factor for typical end-user PCs," the report said. "From an attacker's perspective, targeting third-party programs proves to be a rewarding path, and will probably remain so for an extended period of time."

The reason why is that many users fail to update these applications, the report said. Either they ignore these applications because they do not consider them viable attack vectors, or the programs do not come equipped with sufficient update mechanisms.

"The bad guys started out attacking operating systems and services on servers that were exposed," Brad Arkin, director of product security and privacy at Adobe, told SCMagazineUS.com on Monday. "Now those attacks have been moving up the stack. We definitely see the bad guys putting more attention on those third-party products."

Aside from companies such as Microsoft, Google, Mozilla and Adobe, most manufacturers leave all the work up to the end-user, the report said. In many cases, these companies lack the resources to harden their code or provide a robust auto-update feature.

"It appears that most vendors do not take significant steps to secure their users and customers before active exploitation take place on a larger scale where it starts to threaten the overall reputation of the business," the report said.

"The lack of effective updating mechanisms expose end-users to significant risks, as vulnerable software tends to 'survive' for a long time before being updated for other reasons than security, thus leaving the user exposed for prolonged periods of time and providing criminals ample time to exploit the vulnerabilities."

Mozilla Firefox, Apple Safari, Sun Java, Google Chrome and Adobe Reader were the top five programs responsible for software vulnerabilities between June 2009 and June 2010 based on number of known vulnerabilities.

The report said organisations must grasp the danger that third-party applications pose. In addition, Secunia called on the security software industry to create technology that allows users to install security updates across a wide array of third-party programs.

Adobe's Arkin said the report underscores the importance of staying up to date. In April, the company officially released its new automatic updater tool.

"The vast majority of attacks in the wild are going after vulnerabilities in products that are known and patched in the most recent version of the software," he said. "If the user can stay up to date, they're going to be defended against those types of attacks."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 432

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 208

Vote