Thursday, January 3, 2008
The threat from user applications
Since the WMF vulnerability in January 2006 the client applications seemed to become the next target for malware and malicious attackers. I wrote about the evolution of threats and related vulnerabilities at that time.Â So, it's not very surprising to see here and here that people are worried about vulnerabilities in software other than the OSes. Microsoft has established a good updating system. A lot of people have complaints about it, but it works. There wasn't any new worms exploiting unpatched Microsoft vulnerabilities for a long time. What concerns me most, however, is that software that are as ubiquitous as Windows are not being updated as they should. Adobe software, like Acrobat and Flash Player, are the most critical ones. There is also the Java Virtual Machine.Almost all of them already have an automatic updating system. The problem is that we have software from several vendors installed, what multiplies the installed agents that automatically check and update them. Take a look at your Windows start up points and you'll notice several agents that constantly check for updates of your installed software. Do you have a way to quickly verify if all those things are up to date?If this is a problem for the home user, imagine it for big corporations. When I talk with CSOs about their patch management strategies they are always proud to show how quickly they can update their main servers. Some of them can update Microsoft software on their workstations very fast too. But it's interesting to see that almost nobody have a plan or process in place to update things like Adobe Acrobat or the JVM. Even more interesting is the fact that they don't seem to understand how important that is.We still haven't seem a big incident based on vulnerabilities at those products. With all the opportunities to share content generated by social networks, blogs and feed, it isn't hard to see the possibilities to make that happen. It will be funny to watch desperate CSOs trying to explain how lots of computers became infected even after those massive investments on WSUS, BigFix, younameitpatchproduct and antivirus. But after the usual crisis there will be a huge opportunity window opened for new products to try to solve that.Â Once again we will see people buying little boxes as pills to solve their pain.Â And once again they will spend more than necessary and will remember that they should have thought about another thing first: the process.And not only the security guys will realize that they weren't doing things right. Auditors will hush to update their checklists and add more questions about patch management. Hey, weren't they already asking about it? OK, I'm still waiting to meet an auditor that asks about how a company deals with patching applications other than Operating Systems. I'm sure that most of them even know that there is a risk related to that.And once again we look at a "new" threat appearing at the horizon with that "deja vous" feeling. If everything happens in the way they happened before, everybody will be OK. The problem is that the world is also changing. This new threat is appearing in a world dealing with increasingly stronger cybercriminals and targeted attacks. Mixing those factors can really bring us problems more serious that those we faced in the past.