Regarding the latest annual Secunia security vulnerability report, blaming third-party apps for security problems on PCs is the incorrect way of approaching the perennial problem of the way software applications interact with each other.
The problem of inter-application security issues has been around ever since the Windows API was first seen way back in 1985. A lot has changed in the last 26 years, not least the number of function calls which the WinAPI now supports, having increased massively since the original 450 seen in Windows 1.0.
Against this backdrop, it’s interesting to see our colleagues at Secunia reporting that vulnerabilities in third-party products are the weakest link in software installations. More than anything, this confirms something our researchers have noted for some time, namely that software patches and updates need to be installed on a very timely basis, and allied to a highly effective range of IT security software at all times.
The report, which also predicts that network vulnerabilities will continue to be a problem in the year ahead, does an excellent job in detailing the issues that a good IT security manager and his/her team needs to address.
It all comes down to due diligence and risk analysis, a series of processes that needs to be updated and reviewed on a continual basis, rather than treating it as an annual `tick and check’ project to be carried out like a stocktaking exercise.
Having said that, the report’s conclusions – which include the fact that there often is a delay between flaws being exploited and the IT team in an organisation `getting around’ to patching the flaw on a remediated basis – need to be addressed.
And it’s for this reason that I recommend that organisations look to automated patching software, which can now be sourced on a freeware basis for several operating systems.
It’s interesting to note that Secunia has developed its own auto-update application – PSI 2.0 – which is free of charge and is actually a reduced feature version of the pay-for edition. The good news is that the message about the requirement for timely patches appears – at last – to be getting through to the software vendor community, especially Adobe, which now has an auto-update mechanism for Acrobat, Flash and Reader, developed apparently after lobbying from users.
When allied to a competent security advisory service like our own, IT security managers can rest easy in their beds, sure in the fact that their IT resources are as well defended as it is possible to be with the resources that are now available.