Most people owning a PC are familiar with Microsoft’s patching process – it’s easy and it’s there. For a lot of them, it also gives the impression that Microsoft’s products are chock-full of flaws.
But, according to Stefan Frei, Research Analyst Director with Secunia, it’s not the vulnerabilities in Microsoft’s products we should worry about, but those in third-party software.
At the Infosecurity press event in London, Frei said that even though the number of discovered vulnerabilities has slightly decreased in the last two years, the worrying fact is that 84 percent of all those found in 2010 can be exploited from a remote location, and that 69 percent are tied to third-party products that may or may not have a quality patching mechanism in place.
The percentages reported are the result of Secunia’s Annual Report for 2010, compiled by taking stock of the information gathered by their Personal Software Inspector – a tool designed to detect vulnerable and outdated programs and plug-ins.
According to this numbers, 55 percent of the end-point users have more than 66 programs from more than 22 vendors installed on their systems. Of the top 50 software used, 26 are developed by Microsoft, and the remaining 24 by 14 other vendors.
A simple equation can tell us how many opportunities a cyber criminal has: number of hosts x number of vulnerabilities = opportunity.
Currently, some 28 percent of the world’s population – that’s almost two billion people – have access to and use the Internet. From 2000 to 2010, the number of global users grew by 448 percent, and that certainly didn’t go unnoticed by cyber criminals.
But, as the number of found vulnerabilities has decreased, the number of vulnerabilities affecting typical end-point computers has increased of about 71 percent. And third party programs are almost exclusively responsible for this trend, as 69 percent of the vulnerabilities are found in them.
So, one single patch mechanism covers 31 percent of the vulnerabilities found in the OS (Windows) and other Microsoft products, but 13 different update mechanisms are needed to patch the remaining 69 percent of vulnerabilities found in third-party software.
And when these patching update mechanisms are too complex, patches become virtually useless. It is no wonder, then, that the results proved that third party programs are less likely to be found fully patched.
According to Frei, patching is extremely important, but its importance is still not fully recognized and prioritized. “A patch provides better protection than a thousands of signatures, because it eliminates the root cause,” he says. The problem is that most users still consider the OS and Microsoft products as primary attack vectors and ignore the patching of third-party software.
It turns out, then, that cybercriminals don’t actually need to exploit vulnerabilities in Microsoft software, or even zero-day vulnerabilities – there are plenty of those in third-party software.
Wouldn’t silent patching solve many of these problems, I asked. Frei said that he advocates default silent patching for inexperienced users, because he believes that those who know should help those who don’t, but that experienced and knowledgeable users should be able to switch it off.