Popular apps need better patching, says report

Network defenders have failed to adapt to current attack trends, continuing to focus on patching operating-system vulnerabilities and leaving ubiquitous applications open to an increasing number of attacks, stated a report published on Tuesday.

Network defenders have failed to adapt to current attack trends, continuing to focus on patching operating-system vulnerabilities and leaving ubiquitous applications open to an increasing number of attacks, stated a report published on Tuesday. The report, based on data from security firms TippingPoint and Qualys, found that information-technology managers were less likely to patch popular applications -- such as Adobe's Flash and Acrobat Reader, Microsoft's Office, Sun's Java and Apple's QuickTime -- despite an increase in the number of attacks against those programs. Vulnerabilities in the applications accounted for more than two-thirds of the top-30 flaws found on corporate computers by Qualys' vulnerability-scanning service, according to the report.
The report suggests that information-technology managers need to focus on the more popular applications favored by their users, said Rohit Dhamankar, director of security research for TippingPoint.
"There are certain programs that have become the favorites of attackers," Dhamankar said. "CISOs need to try and look at these other products, try to patch those products."
The report also warns that vulnerabilities in public Web sites constitute a major danger. More than 60 percent of all attacks detected by security firm TippingPoint were directed at Web applications on public sites. In addition, two major classes of vulnerabilities -- SQL injection and cross-site scripting -- accounted for more than 80 percent of all vulnerabilities, the report found.
Last week, Albert Gonzalez, a Florida resident, plead guilty to multiple acts of identity theft, in which he used SQL injection among other techniques to gain access to corporate networks. SQL injection is a method of exploitation where commands are sent to a Web site's back-end database because the Web application does not validate input and allows attacker to send structured query language (SQL) commands as input. In many cases, the flaws are used to inject code that attempts to infect visitors to the Web site with a malicious program.
"Despite the enormous number of attacks and despite the widespread publicity about these vulnerabilities, most Web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe Web experience," the report stated.
In addition to its other findings, the report concluded that rapid disclosure and patching of flaws is in the best interest of end users because software vulnerabilities in popular software are increasingly being found by more than one group, suggesting that any flaw found by a researchers will already have been or soon will be found by cybercriminals.
In one case, researchers submitted a bug in Microsoft's Internet Explorer in October 22, 2007. Within the next year, two different groups submitted the same flaw even though their method of discovering this issue were completely different, the report stated.
"The skill set of the people doing this work have definitely increased over time," said TippingPoint's Dhamankar. "If a researcher has found a bug, then it's likely that someone on the dark side has already found the bug as well."
In the end, information-technology managers that want to protect their networks need to focus on mitigating the threat of previously unknown flaws, the report concludes.
If you have tips or insights on this topic, please contact SecurityFocus.