Better security needs 'more informed patching'

Security firm Secunia finds that the most popular three-dozen programs account for 80 percent of vulnerabilities. Better patching could help security, but not everyone agrees.

If companies patch the most popular 37 Windows programs, they could cut their risk by 80 percent, according to a report released on Wednesday by vulnerability management and information firm Secunia.

In its report, the company argues that businesses cannot afford to patch every flaw and so must focus on the applications that pose the most threat -- in this case, those with the highly or extremely critical vulnerabilities. Companies who focus on patching the most risky applications -- as measured by the criticality of vulnerabilities -- can reduce their risk more than businesses that focus on the just the most popular programs, according to the report.

Also see "The Patch Tuesday survival guide"

"The question is what programs to patch, by just patching a few programs, you can have great effect," says Stefan Frei, research analyst director at Secunia and an author of the report. "The problem is that the programs you have to patch are dynamic. It is like chasing a moving target."

Secunia used data from its Personal Software Inspector (PSI), a free vulnerability and patch scanner that runs on 3 million Windows systems. The company found that the number of vulnerabilities affecting the typical endpoint jumped to 729 in 2010, from 225 in 2007.

Using the top-200 programs present on the systems, the company posed the question of which strategy would have the greatest impact on its measurement of risk -- a sum of the number of vulnerabilities weighted by their criticality. Secunia found that the most popular programs often have a large number of significant flaws, but not always.

"If I put myself in the shoes of the cyber criminal," says Frei, "I would go after the program with the largest market share, and then I would focus on those that are the easiest to exploit."

Also see "How to compare patch management software"

However, other security researchers focus on a different measure of risk and that suggests a different strategy. For example, security consultant Daniel Guido of iSec Partners analyzed popular exploit kits available in 2009 and 2010, finding that the kits only included exploits for 27 of the approximately 8,000 vulnerabilities reported during those two years. Focusing on only those vulnerabilities can make a big difference in a company's security posture, he argues.

"There are major applications that are very difficult to attack and have many vulnerabilities identified in them," he says. "Chrome is a great example; Adobe Reader is a great example; even Microsoft products, for as long as they've been using SDL (Secure Development Lifecycle) have a large number of vulnerabilities found in there in every patch cycle."

Yet, depending on how hard the vulnerabilities are to find and how hard they are to exploit, impact how many security researchers -- both legitimate and malicious -- focus on finding and exploiting vulnerabilities in those products. Such market forces push researchers to focus on a few highly productive -- in terms of vulnerabilities -- programs.

For example, in his presentation in April, Guido found that turning on data-execution protection (DEP) would stop 14 of the 19 memory corruption vulnerabilities, while barring Java from running in the Internet zone would prevent 11 of the 15 kits from executing Java exploits.

Both researchers agree that patching is a good defensive strategy, in conjunction with other defensive technologies.

"Everybody does antivirus protection but we have to be aware of the limitation of those techniques. With a patch you essentially stop this arms race," Secuinia's Frei argues. "Once you install the patch, no matter how many variants the cybercriminals push out, you are safe."

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.