Third-Party Software, Browser Components Account For Most Flaws, Study Finds


Businesses often have a difficult time patching software because a significant amount of vulnerabilities are in third-party programs not covered in formal patch management programs overseen by IT teams, according to a study that looked at flaws in popular software programs in 2013. 

In an analysis of the 50 most popular programs run on PCs conducted by Danish vulnerability management vendor Secunia, the company found that 76 percent of the coding errors were from third-party programs. Secunia said only 16 percent of the flaws affected Microsoft programs and even fewer (8 percent) were operating system errors. The security vendor's review came up with more than 1,200 vulnerabilities in 27 products in the Top 50 most popular programs.

"No IT administrator has the time and resources to manually keep track of the patch state of all the programs on all computers in their IT infrastructure on a continuous basis," Secunia said in its report, issued at the 2014 RSA Conference. "Users and administrators have to source alternative methods -- independently and per product -- to ensure that their computers are properly patched, and thus protected from vulnerable software."

[Related: Secunia Partner Program Brings Patch Management To Masses]

The Secunia analysis is based on anonymous data that it gathered from scans of millions of PCs that run its Secunia Personal Software Inspector, which identifies flaws in third-party programs. The average PC has about 75 programs installed on it, Secunia said. About 40 percent of the programs are Microsoft software.

The Top 50 most widely used programs include a variety of Microsoft products, including all the software in Microsoft's Office suite, Microsoft Outlook, Media Player and Silverlight. Microsoft XML Core Services ranks first on the list. Oracle Java, which surpassed Adobe products in 2013 as the most frequently targeted software, is also on the Top 50 list. Skype, Apple iTunes,and Google Earth are on the list as well. Web-based attacks frequently target Java vulnerabilities and Adobe Flash flaws.  

Cybercriminals have been moving from the operating system layer to the application layer to conduct attacks, following years of security improvements, including security defenses and automated update mechanisms built into Microsoft Windows and Office products. The vast majority of software coding errors came from third-party browser components, file and multimedia management programs, VoIP applications, and instant messaging clients, Secunia said. Many of the products lack an automated update mechanism to receive updates and even fewer automatically inform users of available security updates. Data breach studies frequently cite configuration errors and software vulnerabilities among common weaknesses exploited by cybercriminals.

Many companies lack a formalized patch management program or any kind of strategy to gain control of  vulnerability management, said Nash Pherson, a senior systems consultant at NowMicro, a St. Paul, Minn.-based systems integrator and Secunia partner. In a recent interview with CRN, Pherson cited instant messenger clients, remote management software, and file-sharing applications as common ways the attack surface increases at the endpoint.

Browser security vulnerabilities declined by 18 percent in 2013 with 727 vulnerabilities reported in Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari, according to the Secunia analysis. Secunia said Mozilla Firefox was the browser that posed the most risk of exposure followed by Internet Explorer, Google Chrome and Opera. The company bases its risk exposure ranking on browser adoption and the percentage of unpatched vulnerabilities in the software.

"The more widespread a program is, and the higher the unpatched share, the more lucrative it is for a hacker to target this program, as it will allow the hacker to compromise a lot of victims," Secunia said.

Most of the browser vulnerabilities were rated "highly critical" by Secunia. Users also often have multiple browsers installed on their PC but typically only use one browser, resulting in missing patches, the company said.

PDF readers are also a popular target of attackers. Secunia said it saw a 37.3 percent increase in vulnerabilities to the most widely used PDF readers. Adobe Reader, which by far has the most market share, is exploited most followed by Foxit Reader, according to the analysis. Adobe Systems had 67 of the 70 vulnerabilities reported in PDF readers in 2013.

PUBLISHED MARCH 3, 2014