Dealing with Application Security Vulnerabilities

Statistics from Bit9 serve as a reminder of the importance of keeping application patches up-to-date in the enterprise.

Applications vulnerabilities are the honey bringing attackers out of their hives.

According to an analysis by Bit9, released Dec. 16, this year's list of applications with the most serious vulnerabilities had Adobe Reader, Acrobat, Flash Player and Shockwave at the top. For IT administrators, the findings are a reminder of the importance of keeping track of vulnerable endpoints.

"Operating systems have been a focus point of security research over the last 10 years and have improved significantly," said Wolfgang Kandek, CTO of Qualys. "The importance of keeping systems up-to-date is clear to most IT administrators. Applications have not followed the same pattern and are now a simpler target for attackers, which are opportunistic in their behavior."

As a whole, the NIST (National Institute of Standards and Technology) database shows vulnerabilities in Adobe Systems applications jumped from 66 in 2008 to 99 in 2009, noted Kate Munro, director of product marketing at Bit9. More than 70 of this year's Adobe vulnerabilities were rated "high," she added.

In many cases, the responsibility of deploying patches falls on the shoulders of users and IT administrators. In the workplace, administrators need to know programs are on their networks' computers in order to exercise control, Munro said.

"To achieve this, they need to do a live inventory of all the software on their endpoints," she said. "This establishes a baseline. From there they can create an application control policy that defines what is acceptable, safe and approved to run for the company. It can be a policy or 'whitelist' for individuals or for group of users at their company."

Administrators should focus on applications in this order: Adobe Reader, Adobe Flash, Microsoft Office, Sun Java and Apple QuickTime, Kandek opined.

"Attackers have realized that the installed base of Adobe software (Reader and Flash) is very big, potentially bigger than the Windows installed base ... Adobe's new structured process is helpful, but we still need to deal with the old installed and outdated software base that will not get updated without major work. [A] Firefox plug-in checker is a good first step, but we will need more cooperation between OS vendors and application providers," he said.