Third-party apps: Bad news for security

My IDG news service colleague Jeremy Kirk has an interesting article on some new Secunia research regarding third-party apps.

Here are some of the more interesting parts:

The number of vulnerabilities in software commonly found on PCs shot up by an astounding 71 percent between 2009 and 2010, mostly due to problems in third-party applications rather than in the Windows OS or Microsoft apps, said Stefan Frei, research analyst director for Secunia. The company released its annual vulnerability report on Tuesday.

“When we dig deeper we find the main contributor is not vulnerabilities in Microsoft products but vulnerabilities in third-party products,” Frei said. “Traditionally we still perceive Microsoft programs and the Microsoft operating system to be the main culprit, the main threat. However, this has changed.”

For its report, Secunia used data from its Personal Software Inspector (PSI) application, which analyzes PCs to see if the installed programs have the latest patches. The PSI has been installed on more than 3 million computers.

Of the top 50 most commonly installed software products, 26 were made by Microsoft and 24 other applications came from a total of 14 third-party vendors, Frei said. In 2010, users had about four times more vulnerabilities in the third-party vendor products than in the Microsoft applications.

Here’s a bit more from an e-mail Secunia sent me this morning:

This key trend is primarily the result of vulnerabilities found in third-party (non-Microsoft) programs, which are also much harder to patch due to a lack of a unifying patch mechanism.

This lack of unity and automation, coupled with the sheer complexity of IT systems and lack of user awareness about patching, results in a lengthy process. For example, end-users with the average software portfolio installed on their PCs will need to master around 14 different update mechanisms from individual vendors to update their programs and keep their IT systems protected against vulnerabilities. As a result, there is a huge delay from the point in time when vulnerabilities are discovered and details reach cybercriminals, before users and corporate security teams actually deploy the appropriate security updates.

Despite vulnerabilities being the weakest point in modern IT systems, the main challenge is to educate users and IT administrators/departments to prioritise the deployment of security updates. Even users who are aware of the dangers of unpatched third-party programs often do not update in a timely fashion due to:

• Lack of complete inventory details

• Patching is often regarded as a secondary security measure

• Third-party programs are not yet perceived as the preferred attack vector by non-security staff

• Security updates are complex to navigate and deploy

This isn’t surprising to me. There’s an app for everything out there, and people tend to download any app that will help them with whatever pressing task they’re trying to solve at that moment.

When you have a problem to solve, the last thing on your mind is security.

I’m guilty myself.

I’ve downloaded third-party apps without thinking when I’ve run into problems with my podcasting tools. I’ve done it at other times. I’m human, and to be human is to do stupid things sometimes.

That’s why it’s good to see research like this. it reminds me that I need to be careful.

May it do the same for you.

–Bill Brenner