Enterprise application whitelisting company Bit9 launched an attention-getting press release last week, a document which merely bubbled for a few days until the recent Internet Explorer flaw took center stage and Mozilla pushed out a few Firefox updates.
Eventually, the heat under the issue boiled over, prompting Mozilla to tackle the Bit9 report on its Mozilla Security Blog.
Beep Beep Beep
Backing up the truck, Bit9 revealed its annual ranking of threats in plain sight — “The Dirty Dozen” of 2008’s most popular applications with critical security vulnerabilities.
Bit9 held itself to a few criteria: The applications it chose had to be real applications used frequently by end users — as opposed to malware or esoteric applications.
Often running outside of the IT department’s knowledge or control, these applications can be difficult to detect, Bit9 reported, saying they create a data leakage risk in endpoints that are otherwise secure.
The five apps topping off Bit9’s Dirty Dozen:
- Mozilla Firefox, versions 2.x and 3.x
- Adobe Acrobat, versions 8.1.2 and 8.1.1
- Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1
- Apple iTunes, versions 3.2 and 3.1.2
- Skype, version 126.96.36.199
More specifically, Bit9 reported that each application on the list has the following characteristics:
- Runs on Microsoft Windows.
- Is well-known in the consumer space and frequently downloaded by individuals.
- Is not classified as malicious by enterprise IT organizations or security vendors.
- Contains at least one critical vulnerability that was first reported in January 2008 or after, or registered in the U.S. National Institute of Standards and Technology‘s (NIST) official vulnerability database, and given a severity rating of “high” (between 7.0 and 10.0) on the Common Vulnerability Scoring System (CVSS).
- Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
- The application cannot be automatically and centrally updated via free enterprise tools such as Microsoft SMS or WSUS (Window Server Update Services).
“Year after year, we see a growing number of applications within the enterprise creating security vulnerabilities that are easily prevented through better visibility across endpoints, and a more centralized patch-management process,” noted Harry Sverdlove, chief technology officer at Bit9.
The last two criteria — the app relies on the end user and can’t be automatically or easily centrally updated — seems to the be the biggest issue. Mozilla’s Firefox pushes out security updates to end users directly via the Internet, which makes it difficult for an IT department to control security patches or ensure that all desktops running Firefox, for example, have been patched.
So What’s Really Wrong Here?
“While we’re always happy to see stories that focus on educating our users about security, there are some problems with Bit9’s methodology that hinder its ability to draw any meaningful conclusions,” noted Johnathan Nightingale, Mozilla’s Human Shield, on the Mozilla Security Blog.
“Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities,” he added.
Furthermore, Nightingale noted, “Bit9 seems to understand this in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90 percent adoption within six days of a new update being released.”
Still, in the enterprise, is end-user patching a security risk?
“Central management and reporting is almost always more secure than end-user driven updating. End-user updating works well for knowledgeable, security-conscious users, but any mid-to-large organization should be looking to manage vulnerabilities and patch centrally,” Michael Argast, a security analyst at Sophos, told LinuxInsider.
“You can only count on a very small proportion of your user base paying attention to and caring about security,” he added.
What about the recent IE security brouhaha? IE patches can be applied centrally.
“The recent IE situation was a bit of an anomaly insofar as there was a known vulnerability with exploits active in the field before there was any form of patch available,” Argast said.
“In those cases, you need to either switch to a non-vulnerable system, change behaviors — restrict access to browsing — or use other mechanisms to provide protection. A good example of an alternative mechanism would be behavioral protection from an antimalware company, which could block an exploit prior to a patch being available,” he explained, noting that in the case of Sophos, his company had behavioral protection out several days prior to a patch being available from Microsoft.
Still, “In almost all cases a company will get better broad protection by managing this centrally rather than depending on activities driven by the end-user. The application itself is important, but there are so many different avenues of attack these days — operating system, browsers, browser helper applications such as QuickTime. Relying on the end-user to maintain even relatively secure applications is placing too much burden on users,” Argast added.
No Single Answer
Not everyone believes that central control of the update process is the best or only method, and even with Firefox, enterprises can disable the automatic update process and send out their own update packages via their own IT infrastructure.
“Since central IT can turn it off [automatic updates], I don’t see the problem,” Rich Mogull, a security consultant, told LinuxInsider. Mogull did disclose, however, that he is currently working on a security metric project with Mozilla.
What does Mogull think about the IE vulnerabilities? Can a company get better, faster protection via end-user rollouts rather than via central, IT-driven rollouts?
“Often they can, at the risk of having patches that haven’t been tested for their environment,” Mogull said. “We do see some organizations trust vendor updates for some of their software, but generally enterprises want to do at least a little testing on major apps before deployment,” he added.