Third-party software responsible for most vulnerabilities
Posted on 12 January 2011.
Most people owning a PC are familiar with Microsoft's patching process - it's easy and it's there. For a lot of them, it also gives the impression that Microsoft's products are chock-full of flaws.

But, according to Stefan Frei, Research Analyst Director with Secunia, it's not the vulnerabilities in Microsoft's products we should worry about, but those in third-party software.

At the Infosecurity press event in London, Frei said that even though the number of discovered vulnerabilities has slightly decreased in the last two years, the worrying fact is that 84 percent of all those found in 2010 can be exploited from a remote location, and that 69 percent are tied to third-party products that may or may not have a quality patching mechanism in place.

The percentages reported are the result of Secunia's Annual Report for 2010, compiled by taking stock of the information gathered by their Personal Software Inspector - a tool designed to detect vulnerable and outdated programs and plug-ins.

According to this numbers, 55 percent of the end-point users have more than 66 programs from more than 22 vendors installed on their systems. Of the top 50 software used, 26 are developed by Microsoft, and the remaining 24 by 14 other vendors.

A simple equation can tell us how many opportunities a cyber criminal has: number of hosts x number of vulnerabilities = opportunity.

Currently, some 28 percent of the world's population - that's almost two billion people - have access to and use the Internet. From 2000 to 2010, the number of global users grew by 448 percent, and that certainly didn't go unnoticed by cyber criminals.

But, as the number of found vulnerabilities has decreased, the number of vulnerabilities affecting typical end-point computers has increased of about 71 percent. And third party programs are almost exclusively responsible for this trend, as 69 percent of the vulnerabilities are found in them.

So, one single patch mechanism covers 31 percent of the vulnerabilities found in the OS (Windows) and other Microsoft products, but 13 different update mechanisms are needed to patch the remaining 69 percent of vulnerabilities found in third-party software.

And when these patching update mechanisms are too complex, patches become virtually useless. It is no wonder, then, that the results proved that third party programs are less likely to be found fully patched.

According to Frei, patching is extremely important, but its importance is still not fully recognized and prioritized. "A patch provides better protection than a thousands of signatures, because it eliminates the root cause," he says. The problem is that most users still consider the OS and Microsoft products as primary attack vectors and ignore the patching of third-party software.

It turns out, then, that cybercriminals don't actually need to exploit vulnerabilities in Microsoft software, or even zero-day vulnerabilities - there are plenty of those in third-party software.

Wouldn't silent patching solve many of these problems, I asked. Frei said that he advocates default silent patching for inexperienced users, because he believes that those who know should help those who don't, but that experienced and knowledgeable users should be able to switch it off.






Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //