Patching – It's not just for Windows

April 1, 2011 | By Damon Armour, IT Security Officer, contributing writer

 

When the topic of patching your computer software comes up, the first item on everyone’s mind is the operating system. Whether that is Windows, Apple’s OSX, Linux, etc., they all have issues with their programming that require security or functionality patches. The area that is often overlooked is our applications–Microsoft Office, Adobe Acrobat, Firefox, Flash, etc.  Applications, in many cases, do not have a patch cycle, nor do vendors always notify you when there is a need to install patches. Today, many digital criminals are targeting our applications and using them to steal our personal information or to remotely take over our machines.

Microsoft Office is a mainstay on computers, whether PC or Mac. Yet Office has functionality that can be used maliciously if not kept current with the latest security patches. The macro features of Office are a primary target for exploit writers. Microsoft includes security and functionality patches with its regular Patch Tuesday (second Tuesday of the month) releases.  You’ll also notice that Microsoft releases updated definitions to assist with Outlook’s spam filtering. When an individual is patching a Windows OS, it is very important to include any additional patch releases for Office or other Microsoft products.

There has been an increased focus this year on the growth of web applications and web tools.  Web browsers are the primary avenue for people to surf the Internet. Popular web browsers include Internet Explorer, Firefox, Chrome, Safari, and Opera. Internet Explorer 9 was recently introduced by Microsoft to provide more functionality and better security. Firefox 4 and Chrome 10 are newly released, providing users more features while also including settings to enable better privacy. Maintaining current versions of your web browser can ensure the security of your information and provide the necessary tools to access current Internet content.

Adobe’s Flash components have seen an increase in use online, and with that growth, an increase in exploits against its code. Adobe has released multiple security patches in 2010-11 to address these threats. Yet notifying the general public on updating Flash is spotty. Another application with recent exploits from Adobe is Acrobat (Reader, Professional). Acrobat is used to open and/or edit PDF files. Similar to the Flash issues, Acrobat has suffered from malicious code being created and used publicly on the Internet and on company networks.

Java is a software platform used commonly with Internet applications and local to our computers. Within the last two years, Sun (the company that supports Java) has pushed out a large volume of Java updates and patches. Keeping up with all the changes can be challenging.  Another issue with Java is being locked into a certain version. In some cases, a user will be forced to maintain an old, potentially vulnerable version of Java to keep their other applications functional. If such a case exists for an individual, work with the application vendors to voice your concerns on locking Java versions.

The primary risk being exploited with unpatched software applications is remote execution or arbitrary code execution. Wikipedia defines arbitrary code execution as “an attacker’s ability to execute any command of the attacker’s choice on a target machine or in a target process.” In other words, the software flaw could allow someone, without your knowledge, to take over your computer. This could enable the attacker to run applications on your machine and use those tools to steal your information, send spam from your computer, or use your computer in a distributed denial of service attack—in most cases, without you even knowing there is an issue involving your computer.

How do you protect yourself from this array of applications and the real threat of vulnerabilities? The number one step is by being diligent on checking for application patches and fixes. Most applications come with an online update check process. Normally when the application runs, a process will run in the background to check for updates. Check to see if your application configuration has this feature enabled. If an application does not include online update features, check with the vendor to see if there are mailing lists or other methods to stay informed. If you are unsure, contact the ITS Helpdesk at 706-737-1482 for further assistance.

Another option to assist in our application vulnerability checking is tools that can scan our computers for out-of-date versions. One of those options is from Secunia called OSI (online), PSI (Personal-use), or CSI (Corporate-use). Depending on the version of the product that an individual has the ability to use, it will scan your computer and match software versions with its database. Secunia CSI is one of many tool that ITS is currently reviewing to assist with patching our third-party applications (Adobe Acrobat, Flash, Java, etc.).

With Secunia, you can see which applications are fully patched, which are insecure, and also applications that have reached their end of life. The tool can provide a link to get the most current version, technical details on the product, and also a link to their community forums if you need assistance. This is one of multiple offerings in the realm of security products.

This article has shown that patching our operating system(s) is not the minimum standard to maintaining a secure computer. Application threats have grown recently for multiple reasons.  Individuals should keep an inventory of the applications that are running on their computers.  Use the automatic updating tools or a third-party vulnerability scanning tool to verify that your versions are up-to-date. By patching computers fully (operating system and applications), an individual can greatly reduce the risk of application issues and/or data losses.

Resources:
Internet Explorer 9: http://ie.microsoft.com/testdrive/
Firefox 4: https://www.mozilla.com/en-US/firefox/new/
Chrome 10: http://www.google.com/chrome
Java: http://www.java.com
Secunia: http://www.secunia.com