secunia.com The Threat The number of vulnerabilities in the Top-50 most popular pro- grams typically installed on end-user PCs is increasing at an alarm- ing rate. This trend is primarily driven by the increase in vulner- abilities discovered in 3rd party programs (non-Microsoft), which have exceeded Microsoft as the criminal’s preferred target. The threat from 3rd party programs is substantiated by three traits: The number of vulnerabilities in 3rd party programs The prevalence of 3rd party programs on end-user PCs The low patching level of 3rd party programs This provides criminals with a large pool of commonly used programs that is easier to exploit 1 , and unlikely to be found fully patched. Why End-User PCs? Vulnerabilities on end-user PCs are often exploited when the user of the vulnerable computer visits a malicious website (with content controlled or injected by a criminal), or opens data, files, or documents using one of the numerous programs and plug-ins installed on the PC. With just one single action the user potential- ly “grants” a criminal access to the network without knowing it. Furthermore, due to the variety and prevalence of programs, paired with the unpredictable usage patterns of users, criminals are provided with multiple targets to address. This makes the installed 3rd party programs on end-user PCs profitable targets, with the 3rd party programs representing a primary risk factor. The Study To contribute to the debate on 3rd party program vulnerabilities and the threat they represent, a dedicated study was carried out by Secunia for the first six months of 2010. This looked at the Top-50 most prevalent programs found on typical end-users PCs, and revealed that this Top-50 portfolio consisted of 26 Microsoft and 24 non-Microsoft (3rd party) programs from a total of 14 different vendors (including Microsoft). Overall the study found that 3rd party program vulnerabilities are the primary risk factor for typical end-user PCs (see Table 1), and are almost exclusively responsible for the increasing trend in vulnerabilities discovered since 2007 (see Figure 1). Why Overlook Patching? Some of the reasons for businesses and private users not focusing on 3rd party programs are: A perception of the Operating System (OS) and Microsoft products being the primary attack vector Lack of an easy to use update mechanism The frequency and complexity of managing a large number of different update mechanisms A general lack of awareness about the consequences of vulnerable programs Typically, a user can patch 35% of the vulnerabilities with one update mechanism (Microsoft’s).The user then needs to master another 13 or more different update mechanisms to patch 65% of the 3rd party program vulnerabilities. Recent research revealed that typically 50% of the users are found to have more than 66 programs from more than 22 different vendors installed 2 The Threat of the End-User PC - Are you securing your end-points?
Transcript
secunia.com
The Threat
The number of vulnerabilities in the Top-50 most popular pro-grams typically installed on end-user PCs is increasing at an alarm-ing rate. This trend is primarily driven by the increase in vulner-abilities discovered in 3rd party programs (non-Microsoft), which have exceeded Microsoft as the criminal’s preferred target.
The threat from 3rd party programs is substantiated by three traits:
The number of vulnerabilities in 3rd party programs
The prevalence of 3rd party programs on end-user PCs
The low patching level of 3rd party programs
This provides criminals with a large pool of commonly used programs that is easier to exploit 1, and unlikely to be found fully patched.
Why End-User PCs?
Vulnerabilities on end-user PCs are often exploited when the user of the vulnerable computer visits a malicious website (with content controlled or injected by a criminal), or opens data, files, or documents using one of the numerous programs and plug-ins installed on the PC. With just one single action the user potential-ly “grants” a criminal access to the network without knowing it.
Furthermore, due to the variety and prevalence of programs, paired with the unpredictable usage patterns of users, criminals are provided with multiple targets to address. This makes the installed 3rd party programs on end-user PCs profitable targets, with the 3rd party programs representing a primary risk factor.
The Study
To contribute to the debate on 3rd party program vulnerabilities and the threat they represent, a dedicated study was carried out by Secunia for the first six months of 2010.
This looked at the Top-50 most prevalent programs found on typical end-users PCs, and revealed that this Top-50 portfolio consisted of 26 Microsoft and 24 non-Microsoft (3rd party) programs from a total of 14 different vendors (including Microsoft).
Overall the study found that 3rd party program vulnerabilities are the primary risk factor for typical end-user PCs (see Table 1), and are almost exclusively responsible for the increasing trend in vulnerabilities discovered since 2007 (see Figure 1).
Why Overlook Patching?
Some of the reasons for businesses and private users not focusing on 3rd party programs are:
A perception of the Operating System (OS) and Microsoft products being the primary attack vector
Lack of an easy to use update mechanism
The frequency and complexity of managing a large number of different update mechanisms
A general lack of awareness about the consequences of vulnerable programs
Typically, a user can patch 35% of the vulnerabilities with one update mechanism (Microsoft’s). The user then needs to master another 13 or more different update mechanisms to patch 65% of the 3rd party program vulnerabilities.
Recent research revealed that typically 50% of the users are found to have more than 66 programs from more than 22 different vendors installed 2
The Threat of the End-User PC- Are you securing your end-points?
secunia.com
Highlights of the Study
The study of the Top-50 portfolio found that:
From 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled to 420 vulnerabilities
During the first six months of 2010, 380 vulnerabilities were identified in the Top-50
Based on the data of the first six months of 2010, the num-ber of vulnerabilities affecting a typical end-user PC is ex-pected to almost double again in 2010 to 760
In 2009, a typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party pro-grams installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010
To keep the Top-50 programs fully patched the user can patch the operating system and the 26 Microsoft programs with one easy to use auto-update mechanism (Microsoft)
To patch the remaining 24 3rd party programs from 13 different vendors typically requires managing another 13 or more different update mechanisms
The Solution
To aid companies in obtaining an accurate overview of their end-points, and ensure that all programs are patched, Secunia has developed the Secunia Corporate Software Inspector (CSI).
The Secunia CSI is an authenticated vulnerability and patch scan-ner that:
Identifies installed programs and missing security patches
Facilitates simplified patch management of both Microsoft and 3rd party programs due to its integration with Microsoft WSUS and SCCM
For further information on the study read the Secunia Half Year Report 2010 3
Figure 1 Breakdown of the Top-50 portfolio vulnerabilities into Operating System, Microsoft, and 3rd party (not from Microsoft) programs.
Table 1 Number of vulnerabilities and vulnerability events including breakdown by operating system, Microsoft and 3rd party programs.
* YTD = January-June 2010 ** Vulnerability Events: Count the number of administrative actions to keep the software secure.
Windows XP 31 33 35 27 54Windows Vista 18 30 28 19 38Microsoft programs 40 35 27 18 363rd party programs 43 42 51 32 64
Top−50 3rd party vs. WinXP (CVE)
0
100
200
300
400
500
2005 2006 2007 2008 2009 2010
3rd party prog.Microsoft prog.Windows XP
Top−50 3rd party vs. WinVista (CVE)
0
100
200
300
400
500
2005 2006 2007 2008 2009 2010
3rd party prog.Microsoft prog.Windows Vista
Top−50 3rd party vs. WinXP (CVE)
0
100
200
300
400
500
2005 2006 2007 2008 2009 2010
3rd party prog.Microsoft prog.Windows XP
Top−50 3rd party vs. WinVista (CVE)
0
100
200
300
400
500
2005 2006 2007 2008 2009 2010
3rd party prog.Microsoft prog.Windows Vista
“While vulnerabilities in Windows XP and Vista will climb by 31% and 34%, respectively, this year compared to 2009, bugs in third-party software will jump by 92%, in other words, nearly double last year’s number.”
Gregg Keiser, ComputerWorld, July 2010 4
secunia.com
For Business Users
The Secunia CSI has been developed to aid businesses manage the cumbersome tasks of detecting and patching vulnerabilities. The Secunia CSI is an authenticated vulnerability and patch scanner, which identifies installed programs and missing security related patches.
The Secunia CSI automatically repackages patches and integrates with Microsoft WSUS for easy patch distribution and Microsoft SCCM, for extensive patch management.
The Secunia PSI is a free security tool for private users. It is designed to detect vulnerable and out-dated programs and plug-ins that expose PCs to attacks. Since 2007 more than 2.6 million users installed the Secunia PSI to help protect their PCs.
The Secunia PSI’s automatic updating improves the security of home users PCs by enabling the updating of a broad variety of programs from a number of different vendors in one solution.
Secunia Paper “DEP/ASLR Implementation Progress in Popular Third-party Windows Applications”http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf Secunia Paper “The Security Exposure of Software Portfolios 2010”http://secunia.com/gfx/pdf/Secunia_RSA_Software_Portfolio_Security_Exposure.pdf
Secunia Half Year Reporthttp://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf
Being the leading provider of Vulnerability Intelligence, Secunia plays an important role in the security ecosystem, and is the preferred supplier for more than 1,000 enterprises and government agencies around the globe.
Vulnerabilities in programs represent the ‘Achilles’ Heel’ of any network or IT system. Secunia’s mission is to identify and eliminate the threat from these vulnerabilities, by accurately tracking software vulnerabilities and supplying products to our customers, and the community.
The quality and importance of Secunia in the security ecosystem is publicly recognised by customers, partners, software vendors, industry peers, the media, and the community.
Secunia has from year one exhibited peerless financial and strategic performance, proving the following by organic means:
Higher growth than market average since inception
Continuous growth in staffing Yearly profitability No bearing debt Privately funded, no venture capital Dun and Bradstreet AA rating A very strong and credible brand
“For PC users, the threat of unpatched third-party apps is not abating. According to Secunia, a typical end-user PC with 50 programs installed had more than three times as many vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs installed”
Brian Prince, eWeek, July 2010 5
Third-party software bugs skyrocket in 2010http://www.computerworld.com/s/article/9179105/Third_party_software_bugs_ skyrocket_in_2010
Third-Party Software Bugs Pose Big Danger, Secunia Findshttp://www.eweek.com/c/a/Security/ThirdParty-Software-Security-Bugs-Leading-Threat-Secunia-Finds-717436/
