Mitigating IT Risk from Third Party Application Vulnerabilities
As the use of non-Microsoft, third party applications and software has increased in the workplace, so has the risk to organizations' IT environments. Most organizations today take at least twice as long to patch third-party application vulnerabilities than they do to patch operating system vulnerabilities. Cybercriminals have taken notice of this and are leveraging vulnerabilities in third party applications as new attack vectors ways into organizational networks.
Today more than 2 million malware signatures are identified each month - and that number is expected to grow. Increasingly cyber criminals are focusing their efforts on exploiting existing and known 'critical' vulnerabilities1 . Even vulnerabilities that have existed for quite some time continue to be exploited by malware – many of these are non-Microsoft third party applications.
Top Vulnerabilities Most Exploited by Malware
 |
|
|
|
|
|
|
|
|
1. Microsoft Internet Explorer RDS ActiveX
|
2006
|
2006
|
|
2. Office Web Components Active Script Execution
|
2002
|
2002
|
|
3. Microsoft Video Streaming (DirectShow) ActiveX Vulnerability
|
2007
|
2009
|
|
4. Real Player IERPCtl Remote Code Execution
|
2007
|
2007
|
|
5. Adobe Acrobat and Adobe Reader CollectEmailInfo
|
2007
|
2008
|
|
6. Adobe Reader GetIcon JavaScript Method Buffer Overflow
|
2009
|
2009
|
|
7 Adobe Reader util.print() JavaScript Func() Stack Overflow
|
2008
|
2008
|
|
8. Microsoft Internet Explorer Deleted Object Event Handling
|
2010
|
2010
|
|
9. Microsoft Access Snapshot Viewer ActiveX Control
|
2008
|
2008
|
|
10. Adobe Reader media.newPlayer
|
2009
|
2009
|
|
11. Microsoft Internet Explorer (OE) iepeers.dll
|
2010
|
2010
|
|
12. BaoFeng StormPlayer Buffer Overflow
|
2009
|
2009
|
|
13. JVM Buffer Overflow Vulnerabilities
|
2009
|
2009
|
|
14. Microsoft IE STYLE Object Invalid Pointer Reference
|
2009
|
2009
|
|
15. Java WebStart Arbitrary Command Line Injection
|
2010
|
2010
|
|
|
|
|
|
Patching and configuration management are central components of a depth-in-defense approach that minimizes the risk of cybercriminals exploiting vulnerabilities for financial gain. By leveraging patch and configuration management solutions, organizations can mitigate the majority of their IT risk. But not every patch management solution is equal.
There are "free" stand-alone patch tools and native software updaters available, but these point technologies require more administrative burden – and they only mitigate a subset of vulnerabilities. The breadth of patch content supported by varies widely across patching products. Compare the coverage's and ensure that your provider can support your application and operating system vulnerability management requirements.
By implementing a patch management solution that automates policy baselines across OS and 3rd party applications, IT can more effectively reduce risk across the entire organization. Ideally the patch management solution is offered as part of a comprehensive endpoint management and security suite that can integrate with other capabilities such as application control/ whitelisting and anti-virus, through an integrated approach to patch and overall endpoint management. IT can deliver a more effective endpoint security strategy while also improving operational efficiencies.
Shifting to Defense-in-Depth
Source:
- Dark Reading, February 3, 2011