Software most susceptible to successful attacks

Introduction

A new report about security risks was published this week. This report - "The Top Cyber Security Risks" - is a joint effort from the security organizations TippingPoint, Qualys, and SANS. In this week's security article we shall discuss one particular issue in the report - patching software.

The findings from the study seem to indicate that organizations as well as single users need to change/update their patching regime to tighten their security.

Vulnerabilities in software - a major security risk

Over the years we have written several security articles about the fact that malware writers use vulnerabilities in operating systems and applications to spread malware and/or get access to confidential information. The report referred to above pinpoints some interesting statistics regarding this:

• vulnerabilities in applications get less attention and are patched slower than vulnerabilities in operating systems
• there are more vulnerabilities discovered in applications than in operating systems

There may be at least three different parties involved in a vulnerability

1. The software vendor which wrote the software that has the vulnerability, and which may provide a patch once the vulnerability is known.
2. The person and/or organization, which discover the vulnerability, and may or may not report it to the software vendor. That entity may also exploit the vulnerability either through malware or by other means.
3. The person and/or organization that use software with this vulnerability. If a patch is provided by the vendor, it may or may not be installed.

Considerations regarding 2 above also involves whether to disclose the vulnerability to the public, an issue discussed for example in this article.
However, this time we will consentrate more on the two other items from the list above.

Vulnerabilities in applications get less attention and are patched slower than vulnerabilities in operating systems

This is not a surprising result from the report. It seems safe to assume that this observation is true, since:

• if set up that way,  operating system updates are often automatically downloaded and even installed
• vulnerabilities in operating systems in general get more media attention than vulnerabilities in applications, thus the need for updating is more obvious
• those responsible for IT security in an organization will (correctly!) focus more on wide-spread vulnerabilities than those only present on some computers (all computers have an operating system, not all normally have a specific application). 

Knowing these facts however, will lead the average, rational author of malicous programs to shift her attention. Rather than focusing her efforts on vulnerabilities in operating systems - with a very huge potential during a small window of opportunity - it is probably wiser to focus on vulnerabilities in wide-spread applications. The mere number of installations is smaller, but the time frame for successfully exploiting the vulnerabilities may be much longer.

Add then the observation mentioned above: updating applications is often cumbersome. Some applications have no automatic updating mechanisms at all, but rely on a complete new installation of the new version (some even require complete removal of the vulnerable version prior to installing the new one). Others have to be manually configured to look for updated versions. Still others have update mechanisms that automatically check for updated versions very seldom. Finally, some applications have no system at all in place that inform the user that a newer (more secure) version is available.

In sum the result is that malicious software, which targets (popular) applications, in general lives successfully months and even years after the vendor has provided a more secure version and/or a patch for the vulnerability.

More vulnerabilities discovered in applications than operating systems

One reason for this may of course be that operating systems are more secure than applications. This might be true.

However, we will suggest that the main reason is the fact that "the bad girls" know that the patching frequency for applications is slower, as discussed above. The effort involved in finding a vulnerability in a much-used application will therefore pay off more, as the exploiting malware will have a longer lifespan.

As long as this situation remains unchanged this focus on application vulnerabilitues will most likely prevail - at least for wide-spread applications.

Too many updating technologies

As mentioned above there is no standard for updating applications.

It may be argued that operating system vendors (like Microsoft) offer a similar updating mechanisms for their applications as for the operating system. One may also say that in some cases applications from the same vendor have identical or similar updating mechanisms. No cross-vendor and cross-applications updating mechanisms exists though.

Patch management systems

This fact has resulted in a new set of products that attempt to remedy this need - systems for managing patches and updates. Several systems exists, and organizations that take the effort to purchase, install and update (sic!) these, are far better off being up-to-date with more secure applications than those which have no patch/updating regime in place.

Smaller organizations and home users in particular, will often not be able to take advantage of these systems due to pricing considerations.

Checking an application from another

Interestingly, the Mozilla project, which is responsible for development of for example the popular browser Firefox, announced this month that the new versions of Firefox will have in place systems to warn users if their version of Adobe Flash Player plug-in to Firefox is out of date. This is one example of an application vendor that takes responsibility in securing users from vulnerabilities in other vendors' products.

Initiative from the operating system vendors?

Some has advocated the view that a common system for updating applications - either patches, general program updates or both - should be developed by the operating system vendors.

Such a system could be an API (Application Programming Interface) that third-party programmers might use in order for the operating system to get access to the product's updating mechanisms. Users and IT administrators could then be able to configure updating schemes from one single interface, in an analogue way that other global settings are performed.

References

• The Top Cyber Security Risks (Report from September 2009 with data and analysis from TippingPoint, Qualys, and SANS)