Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/28/2006
09:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Patch Work, Beyond Windows

Those non-Microsoft desktop apps may fly under the radar, but need IT attention too

Holes in Microsoft Windows, Office, and Internet Explorer may be the most popular conduits for a desktop attack, but they aren't the only ones.

Other desktop apps can be softer targets, mostly because they don't get IT's attention when it's swamped with monthly Patch Tuesday updates. The Mozilla Firefox browser vulnerabilities, revealed this week, are a recent example of how other, not-so-high profile desktop apps are increasingly facing security risks. (See Trojan Uses Firefox Add-On.) Apple's iTunes, AOL Instant Messenger, and even antivirus programs are examples of other desktop apps that can introduce vulnerabilities into your network, vulnerability researchers say.

Enterprises aren't as aware of these vulnerabilities as they are with Microsoft's. "They either don't know or aren't focusing their attention on them," says Marc Maiffret, CTO for eEye Digital Security. "My worry is that this will drive attackers to the low-hanging fruit of 10 or so other core applications on the desktop that are just as easy to exploit. IT needs to wake up before it takes a worm to create awareness."

As Microsoft gradually tightens up security on its existing Windows platform -- and with promises of a more airtight Vista as well as IE 7 -- hacking Microsoft's products is likely to become a bit more challenging for the bad guys. And that makes these lower-profile, and often lower-priority, apps an increasingly attractive target.

Enterprises can either lock down their desktops altogether with corporate-only apps or "limit" any non-corporate apps, says Jeremy Rauch, a researcher at Matasano Security. "Are the IT groups who support Firefox patching them with the same speed" as the group patching Microsoft? he asks.

Rauch says he's most concerned about instant messaging applications, which are typically left running unattended. "Anyone who knows your screen name can attack you," he explains. And these types of apps often fall under a grey area when it comes to corporate policy.

According to Kirk Drake, vice president of technology for NIH Federal Credit Union, staying on top of Microsoft patches is actually easier than other desktop apps. "I have 15 or 20 apps, each of which comes out with two or six patches a year and I have to maintain them, all on different PCs," Drake says. NIHFCU has to manually track these security updates.

Bugs that go after non-Microsoft client apps have always been out there. "The way these client-side applications are connected to the outside world has changed. More and more, you get complex applications talking to each other in a very connected way," says David Aitel, CTO for ImmunitySec. "Video games and chat programs have Web portals attached to them."

The big trend is for entire communities of users of these apps being attacked, such as AIM or other point-to-point applications, and even social networking sites like MySpace. "The top target is still Web, mail, and DNS servers. But client-side attacks are often easier to find," Aitel says.

That doesn't mean they're easier to exploit, though. "Personal firewalls, the thousands of different versions of targets, and the general asynchronous nature of client-side attacks makes them somewhat of a numbers game," he says.

But researchers say most attackers today are still mainly going after the popular, well-entrenched Microsoft OS and apps.

Dave Meltzer, CTO of Cambia Security, who found the first vulnerability 10 years ago in CDDB, the technology that lets iTunes "know" the CD you install in your drive, says vulnerabilities in these apps isn't the number one problem, but it is yet another attack vector to the desktop. "And it's especially dangerous for internal desktops to be broken into," he says.

It doesn't help when companies like Macromedia and Apple bury security patches within feature updates, such as with iTunes, says Ross Brown, CEO of eEye. "Users often look and think, 'I don't really need those features,' so they don't install them and don't put the security features on," he says. "And IT doesn't put it on because it doesn't support these apps."

The obvious danger of third-party apps like Quicktime and iTunes is when the vulnerability is remotely exploitable with little or no user interaction to execute, Brown says.

Even the AV vendors aren't immune to attack. There are plenty of viruses that attempt to disable AV programs, and AV vendors even end up patching their own packages. Ross says his company was the first to find the recent flaw in McAfee's Enterprise Policy Orchestrator software, which McAfee had unknowingly fixed in a software update. Once the company verified the flaw, it had to go back and reclassify it as a security update so users would be sure to patch it, Brown says.

So how do you get a handle on these apps in your organization to minimize your risk of an attack? An overall security policy helps. Do you allow these apps at all? If so, how do you keep them safely patched? "You should define proactively what good apps are and monitor the unknown ones," says eEye's Brown.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Apple Inc. (Nasdaq: AAPL)
  • eEye Digital Security
  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    How to Think Like a Hacker
    Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17672
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
    CVE-2019-17673
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
    CVE-2019-17674
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
    CVE-2019-17675
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
    CVE-2019-17676
    PUBLISHED: 2019-10-17
    app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.