Bit9 has issued an interesting piece of research that builds on the report produced by Secunia earlier this week which that found a mere 2 percent of all PCs are fully patched with the latest relevant security updates for all of their applications.
The security vendor is an applications white-listing specialist, so, it spends a fair amount of time looking at all the vulnerabilities and attacks being reported out there that affect the systems it approves or blocks for its customers, which includes just about everything you might find on a typical desktop.
Anyhow, what Bit9 took the trouble to do was publish a “dirty dozen” list (which sadly includes no Jim Brown or Telly Savalas cameos) of the most popular applications that most of us have on our computers – including browsers, IM clients and the like – which have been repeatedly updated for security purposes.
The list highlights a couple of interesting facts, including the reality that some of the most widespread technologies in the world are also the most openly assailable, when un-patched, which is a pretty deadly combination when you think about it.
It also shows you just how hard security departments must work, or force their providers to work, to ensure that they stay up to date with every significant vulnerability announcement, and every update issued by all the world’s major software makers. I know people whose job is to do so full- time who admit that they can barely scratch the surface for the most part, at least without help from the pros.
As part of its criteria for the list, which also required that the involved programs have fixed a critical vulnerability since June 2008, ran on Windows, were widely deployed, and never classified as “malicious” in nature by security researchers, Bit9 also only looked at technologies which, most importantly, rely on the end user or an administrator to update to their latest, most secure version.
Because, let’s face it – while I’ve disabled the auto-update feature of iTunes myself because it’s too noisy otherwise – the human element in this whole process is the elephant in the room.
“Becoming more secure has traditionally meant sacrificing business flexibility, which is almost always an unacceptable choice. So we manage what we can, accepting that a sizable amount of software evades standard control mechanisms. That’s usually software that users install on their own–sometimes for business purposes, other times for personal uses, but always outside of the realm of IT’s knowledge,” Bit9 researchers observe in the report. “This invisible gray zone contains a mix of business tools, consumer applications, unauthorized software, and the latest and most undetectable malware. But for the sake of business flexibility, we keep the controls dialed down and politely deal with the inevitable mess.”
And that’s true. We do accept risk related to the insecurity of these technologies in the name of making ourselves more productive, hoping that their respective makers find and fix enough of the vulnerabilities in their products to protect us, and that we are smart enough to keep up with those efforts and stay patched.
The dirty dozen applications (or vendors) identified by Bit9 are:
Mozilla Firefox Adobe Flash & Acrobat Sun Java Runtime Environment (JRE) EMC VMware Player, Workstation and other products Apple QuickTime, Safari & iTunes Symantec AV Trend Micro AV Citrix Products Aurigma, Lycos Skype VoIP Yahoo! Assistant Microsoft Windows Live (MSN) Messenger
Now, I know that I have a number of these applications running on my desktop right now. Does that make me less secure than the average user? Probably not, especially since, in addition to trying to keep up with latest versions, I primarily compute from behind a corporate firewall.
But, the takeaway should be pretty clear. That being, that the most popular, well-backed, commercially supported technologies on our computers (including those meant to stop attacks!) are often those that likely expose us to the greatest potential for a successful compromise.
Because, attackers also know that they are huge numbers of people using each of these tools, so it makes sense for them to go after them even after a vendor patch has been issued.
So, try to stay patched. And accept that this is a crazy world that we’re living in.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.