There are a lot of steps IT departments must take to keep their companies’ data secure. One critical activity: making sure all software on servers and user machines is kept up to date.
Hackers often gain access to networks by exploiting vulnerabilities in applications. Therefore, along with training users to avoid threats and other critical IT security practices, making sure all that software is patched is a key way to prevent attacks.
In the past, many organizations chose to focus on patching the Windows operating system and other Microsoft software. Since nearly every computer contained those components, a big chunk of attacks focused on exploiting their vulnerabilities.
Third-party software needs to be patched
But the threat landscape is changing, according to the recent 2013 Secunia Vulnerability Review. Software from other vendors is becoming more vulnerable, and organizations that rely on Microsoft’s automatic updates for their patch management strategy could be leaving their networks open to other threats.
While Microsoft still accounts for plenty of software vulnerabilities, according to Secunia — 29 of the 50 most vulnerable programs came from the software giant — over the past five years, non-Microsoft software’s share of the total vulnerabilities out there has increased from 57% to 86%.
What software causes the most security trouble for IT? Aside from Windows and other Microsoft software, these were the applications that were featured prominently on Secunia’s list of the most vulnerable software:
- Flash — Adobe Flash Player has gotten a lot of attention lately for how frequently the developer issues critical patches to fix bugs. And according to Secunia, Flash Player was the most vulnerable third-party application in 2012.
- Java — A lot has also been made about Java security, to the point where some organizations even recommend disabling the platform on all machines unless it’s absolutely needed.
- Apple — While Mac OS X is still considered a more secure alternative to Windows, as the operating system and other Apple products become more popular, hackers are beginning to look for bugs in those areas, too. In 2012, Apple’s iTunes, Quick Time, Bonjour for Windows and Apple Software Update were all among the most vulnerable software. (Note: Secunia’s report only looked Windows machines, so it doesn’t account for computers running Mac OS X).
- Web browsers — Microsoft’s Internet Explorer was rated as the most vulnerable browser — and the third-most vulnerable application overall. However, Google’s Chrome and Mozilla’s Firefox also made the list.
- Document/media viewers — Given that a lot of attacks occur when hackers trick users into opening malicious files, it makes sense that vulnerabilities in the software that views or plays those files are often exploited. Adobe’s PDF Reader was the most vulnerable application of this type, and others such as the open source VLC Media Player and Apple’s iTunes also made the the list.
Keys for effective patch management
The bottom line for IT: It’s not enough to verify that Microsoft’s automatic updates are being pushed to all machines throughout the organization. As Secunia’s report shows, software from all vendors needs to be kept patched and up to date.
That’s difficult to manage, especially since 40% of users admit they ignore prompts telling them their software needs to be updated, according to a survey conducted last year by Skype.
And despite the fact that updates are often released to patch vulnerabilities, 45% of users said they don’t install upgrades because they’re worried about the security of their computers.
Other top reasons for avoiding a software patch:
- 27% said upgrades take too long
- 26% don’t understand what the upgrade will do
- 25% don’t see a benefit of installing a software patch
- 20% said updates slow down their computer, and
- 18% said new versions of software are buggy and crash too often
The good news: Vendors are getting better at patching their software. Among the software Secunia looked at 84% of vulnerabilities had patches available on the day of disclosure last year, up from 72% in 2011.
To make sure those critical updates are actually installed, experts recommend IT:
- Educate users on why keeping the software on their PCs up to date is important
- Keep an updated inventory of all the applications that are installed, which can be used to conduct regular audits to make sure everything’s up-to-date
- Prioritize so that applications most likely to need security updates are given more urgency, and
- Have a patch management policy detailing when certain types of patches may be rolled out — for example, updates that won’t require a restart can take place anytime during the workday, while others should have specified times to minimize the impact.