Incident Response, Network Security, Patch/Configuration Management, TDR, Vulnerability Management

Software flaws, delayed patching reign so far this year

Third-party programs, such as Adobe Reader and Mozilla Firefox, are responsible for the steady increase in the number of software vulnerabilities affecting computer users, according to a new report released Monday by Secunia.

The Danish firm, which tracks software flaws, determined that the total number of vulnerabilities affecting a typical end-user is expected to reach 760 this year, up from 220 three years ago. Through the first half of this year, the total number of bugs facing an average user already has reached 380, nearly 90 percent of the total from all of last year.

The precipitous rise in vulnerabilities is attributable to researchers and criminals upping their focus on third-party applications.

"Data from the first half of 2010 shows that third-party program vulnerabilities are the primary risk factor for typical end-user PCs," the report said. "From an attacker's perspective, targeting third-party programs proves to be a rewarding path, and will probably remain so for an extended period of time."

The reason why is that many users fail to update these applications, the report said. Either they ignore these applications because they do not consider them viable attack vectors, or the programs do not come equipped with sufficient update mechanisms.

"The bad guys started out attacking operating systems and services on servers that were exposed," Brad Arkin, director of product security and privacy at Adobe, told SCMagazineUS.com on Monday. "Now those attacks have been moving up the stack. We definitely see the bad guys putting more attention on those third-party products."

Aside from companies such as Microsoft, Google, Mozilla and Adobe, most manufacturers leave all the work up to the end-user, the report said. In many cases, these companies lack the resources to harden their code or provide a robust auto-update feature.

"It appears that most vendors do not take significant steps to secure their users and customers before active exploitation take place on a larger scale where it starts to threaten the overall reputation of the business," the report said. "The lack of effective updating mechanisms expose end-users to significant risks, as vulnerable software tends to 'survive' for a long time before being updated for other reasons than security, thus leaving the user exposed for prolonged periods of time and providing criminals ample time to exploit the vulnerabilities."

Mozilla Firefox, Apple Safari, Sun Java, Google Chrome and Adobe Reader were the top five programs responsible for software vulnerabilities between June 2009 and June 2010 based on number of known vulnerabilities.

The report said organizations must grasp the danger that third-party applications pose. In addition, Secunia called on the security software industry to create technology that allows users to install security updates across a wide array of third-party programs.

Adobe's Arkin said the report underscores the importance of staying up to date. In April, the company officially released its new automatic updater tool.

"The vast majority of attacks in the wild are going after vulnerabilities in products that are known and patched in the most recent version of the software," he said. "If the user can stay up to date, they're going to be defended against those types of attacks."

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds