Jamie DavisJamie Davis, VP, Quality and Education

Kaspersky Lab, a leader in IT security, released a report outlining their latest vulnerability findings for popular software applications.  Their report did not list Microsoft in their top 10 most vulnerable software applications which is good news; the bad news is they found popular products like Adobe and Java to be riddled with vulnerabilities.

A recent report by security researchers from Kaspersky Lab underscores this trend, highlighting Microsoft’s improved security posture while pointing out less promising security performances by Adobe and Oracle. The latter two vendors were criticized for producing all the products involved in the top 10 IT security vulnerabilities Kaspersky has detected, with Adobe’s Reader, Flash, and Shockwave products involved in 8 of the top 10 system vulnerabilities for the second quarter of 2011.

For the very first time in its history, this ranking includes products from two companies only: Adobe and Oracle (Java). As we inferred in a previous report, Microsoft products have disappeared from the ranking. First and foremost, this is due to improvements in the automatic Windows update mechanism.

Here is my take on these two quotes:

  • Microsoft, and more specifically Windows, is no longer the weakest link in software security
    • Microsoft releases relevant security patches in a timely manner
      • This presumes that a patching method is in place for Windows machines
  • Microsoft has fixed past issues with security and addressed security head on with their most recent versions of Windows
  • Other applications have security issues that are not addressed in a timely manner
    • Adobe (specifically Reader, Flash, and Shockwave) are high vulnerabilities
    • Java is also a security threat

The truth is, some of these applications are not needed nor used by the user.  Many servers have Adobe Acrobat installed on them without any purpose or use.  Many of these programs are bundled in with other applications that are installed and may or may not be needed for the application to work.  One of the answers to this issue is not in patching these applications–it is removing them completely.  For compliance reasons, Safe Systems has always recommended a software inventory be performed quarterly.  In the past, you may have looked for known adware or games like Jeopardy (those who laugh have probably not looked at their software inventory report in a while), but you may want to take a closer look next time at any ancillary software.  If there is not a business purpose for it, you should consider removing it, and therefore, removing the risk associated with it.

An example I see frequently is iTunes.  I’ve been asked a dozen times if iTunes is “safe” or not.  iTunes itself is most likely a pretty benign program, but let’s look at everything iTunes entails.  When you install iTunes (and every time it is updated), iTunes, QuickTime, Safari, and MobileMe are also installed.  Some of these are optional and you can uncheck them, but I’m guessing your users will at some point not uncheck and accidently install the software.  Installing iTunes has now installed four applications to keep patched.  In iTunes’ defense, I think it is a great program and along with the iPod, almost single-handedly brought Apple from the brink of irrelevancy to the wealthiest company in the US with more money than the US government.  My point is not that iTunes is bad and should be removed.  My real point is that a program as widely used and accepted as iTunes brings four programs that you must keep patched if you allow them to be installed.  The more applications allowed on your network, the more work for the institution’s IT staff to keep these items patched, safe, and secure.

So, RULE NUMBER 1: Remove unneeded software including Adobe Reader, QuickTime, etc. if they are not needed.

For the remaining software, a patching mechanism should be considered.  In the past there has been a lack of options to manage this.  One of the few options was to see if the program had an “Auto Update” option and enable this on each machine.  This is not available with all programs and is often a manual process that has to be done on each machine after the software is installed.

So, RULE NUMBER 2: Define a method to patch third party applications that are high vulnerabilities.

Safe Systems has used different programs like SUS, WSUS, and NetComply for Windows patches for years, but historically we have had to write our own install packages each time Adobe or Java released important security updates. In an effort to improve this process and provide our customers with a new option, we developed our own third-party patching solution called CAPS (Critical Application Patching Service).  This service will scan every machine weekly and install the latest version of the application on any machine that is out-of-date.  Currently, it handles Adobe Reader and Java, which are identified in the Kaspersky Lab report.  Adobe Reader, Adobe Flash, Flash for IE, QuickTime, and Java will all be addressed on a weekly basis.  The management process will be similar to the current Patch Management process in NetComply where a report will be provided outlining any machines that failed to update, leaving the network admin with a few outliers to address rather than every machine in the network.  This service is already being used for Safe Systems’ Platinum customers and on Gold servers, but is now available as an add-on service to address security vulnerabilities for Gold workstations and Silver devices.

If you’re interested in learning more about our CAPS service, please contact your Account Manager.

Reference Material:




Write a Comment