Patch Work, Beyond Windows

Holes in Microsoft Windows, Office, and Internet Explorer may be the most popular conduits for a desktop attack, but they aren't the only ones.

Other desktop apps can be softer targets, mostly because they don't get IT's attention when it's swamped with monthly Patch Tuesday updates. The Mozilla Firefox browser vulnerabilities, revealed this week, are a recent example of how other, not-so-high profile desktop apps are increasingly facing security risks. (See Trojan Uses Firefox Add-On.) Apple's iTunes, AOL Instant Messenger, and even antivirus programs are examples of other desktop apps that can introduce vulnerabilities into your network, vulnerability researchers say.

Enterprises aren't as aware of these vulnerabilities as they are with Microsoft's. "They either don't know or aren't focusing their attention on them," says Marc Maiffret, CTO for eEye Digital Security. "My worry is that this will drive attackers to the low-hanging fruit of 10 or so other core applications on the desktop that are just as easy to exploit. IT needs to wake up before it takes a worm to create awareness."

As Microsoft gradually tightens up security on its existing Windows platform -- and with promises of a more airtight Vista as well as IE 7 -- hacking Microsoft's products is likely to become a bit more challenging for the bad guys. And that makes these lower-profile, and often lower-priority, apps an increasingly attractive target.

Enterprises can either lock down their desktops altogether with corporate-only apps or "limit" any non-corporate apps, says Jeremy Rauch, a researcher at Matasano Security. "Are the IT groups who support Firefox patching them with the same speed" as the group patching Microsoft? he asks.

Rauch says he's most concerned about instant messaging applications, which are typically left running unattended. "Anyone who knows your screen name can attack you," he explains. And these types of apps often fall under a grey area when it comes to corporate policy.

According to Kirk Drake, vice president of technology for NIH Federal Credit Union, staying on top of Microsoft patches is actually easier than other desktop apps. "I have 15 or 20 apps, each of which comes out with two or six patches a year and I have to maintain them, all on different PCs," Drake says. NIHFCU has to manually track these security updates.

Bugs that go after non-Microsoft client apps have always been out there. "The way these client-side applications are connected to the outside world has changed. More and more, you get complex applications talking to each other in a very connected way," says David Aitel, CTO for ImmunitySec. "Video games and chat programs have Web portals attached to them."

The big trend is for entire communities of users of these apps being attacked, such as AIM or other point-to-point applications, and even social networking sites like MySpace. "The top target is still Web, mail, and DNS servers. But client-side attacks are often easier to find," Aitel says.

That doesn't mean they're easier to exploit, though. "Personal firewalls, the thousands of different versions of targets, and the general asynchronous nature of client-side attacks makes them somewhat of a numbers game," he says.

But researchers say most attackers today are still mainly going after the popular, well-entrenched Microsoft OS and apps.

Dave Meltzer, CTO of Cambia Security, who found the first vulnerability 10 years ago in CDDB, the technology that lets iTunes "know" the CD you install in your drive, says vulnerabilities in these apps isn't the number one problem, but it is yet another attack vector to the desktop. "And it's especially dangerous for internal desktops to be broken into," he says.

It doesn't help when companies like Macromedia and Apple bury security patches within feature updates, such as with iTunes, says Ross Brown, CEO of eEye. "Users often look and think, 'I don't really need those features,' so they don't install them and don't put the security features on," he says. "And IT doesn't put it on because it doesn't support these apps."

The obvious danger of third-party apps like Quicktime and iTunes is when the vulnerability is remotely exploitable with little or no user interaction to execute, Brown says.

Even the AV vendors aren't immune to attack. There are plenty of viruses that attempt to disable AV programs, and AV vendors even end up patching their own packages. Ross says his company was the first to find the recent flaw in McAfee's Enterprise Policy Orchestrator software, which McAfee had unknowingly fixed in a software update. Once the company verified the flaw, it had to go back and reclassify it as a security update so users would be sure to patch it, Brown says.

So how do you get a handle on these apps in your organization to minimize your risk of an attack? An overall security policy helps. Do you allow these apps at all? If so, how do you keep them safely patched? "You should define proactively what good apps are and monitor the unknown ones," says eEye's Brown.

— Kelly Jackson Higgins, Senior Editor, Dark Reading