Companies have wrong priorities for security updates

The conclusion reached in a report "The Top Cyber Security Risks" compiled by the SANS (SysAdmin, Audit, Network, Security) Institute and the Internet Storm Center (ISC), is that companies appear to have their priorities wrong when it comes to plugging security vulnerabilities in client PCs. Although recent attacks on Windows PCs almost exclusively exploit vulnerabilities in Adobe Reader, QuickTime, Adobe Flash and Microsoft Office, it takes twice as long for security updates for these applications to be installed as it does to plug vulnerabilities in the operating system. The report is based on data from 6,000 intrusion prevention systems operated by TippingPoint and more than 100 million vulnerability scans carried out at 9,000 customers by Qualys.

According to the report, 80 per cent of Windows vulnerabilities are patched within 60 days of an update becoming available. By contrast, for applications such as Office, Adobe Acrobat and Java, only 20 to 40 per cent of vulnerabilities are patched within the same time period. The picture is even more dramatic in the case of Flash, where the patch rate is just 10 to 20 per cent. Service provider Trusteer recently reached a similar conclusion by analysing data from its customer monitoring programme.

Website operators frequently unwittingly and unintentionally help criminals distribute malware. Poor server maintenance can allow trusted websites to be manipulated and malicious code to be embedded and distributed. 60 per cent of all online attacks are now directed at web servers, with the aim of finding and exploiting SQL injection and other vulnerabilities. SQL injection and cross-site scripting (XSS) vulnerabilities between them make up more than 80 per cent of all server vulnerabilities.

In its biannual report, IBM came to a similar conclusion – 50 per cent of home users' websites contain at least one dodgy link. In addition, 20 per cent of search engines, portals and directories contain URLs which lead users to infectious websites.

Two conclusions can be drawn from these results: no website can be trusted per se and zonal models are therefore redundant, and security tips such as "only visits sites you know" are misleading. Just this weekend, for example, scammers succeeded in planting scareware on visitors to the New York Times. Such incidents are nothing new and are set to increase in future, since this kind of approach makes it easy for criminals to reach large numbers of users.

Neither administrators nor home users appear able to keep their systems up to date in order to frustrate website-based attacks. One reason for this is likely to be poorly-functioning and insufficiently explained update procedures for specific products. Studies have shown that silent updates, where the user is not involved, increase patch rates. There have been some protests about unapproved changes being made to computers, but your average user is likely to be far better served by measures such as this than by a blanket insistence on the right to decide on updates for himself.

Programs such as Secunia's PSI monitor major components such as the Flash plug-in, Java and browser libraries, and can give users some idea of how dangerous surfing with their system is, but it too requires the user to take the initiative by installing the program, and then actually using it.

It would be more practical if Microsoft were to integrate an infrastructure into Windows that informed users of updates, not only for Internet Explorer 8, but also for Adobe Reader, etc., etc.

See also:

• New York Times shows bad banner ad, a report from The H.
• 80 per cent of users surf with vulnerable versions of Flash, a report from The H.
• IBM Report: Phishing is going out of style, a report from The H.
• Study says silent updates enhance security, a report from The H.

(crve)