Patching – It's not just for Windows
December 1, 2009 | By Damon Armour, IT Security Officer
When the topic of patching computer software comes up, one of the first items on a user’s mind is the operating system. Whether its Windows, Apple’s OSX, Linux, etc., there are issues with programming that requires security or functionality patches. An area that is often overlooked is applications–Microsoft Office, Adobe Acrobat, Firefox, Flash, etc. Applications, in many cases, do not have a patch cycle. Nor are you always notified when there is a need to install patches. Today, digital criminals are targeting applications and using them to steal information or to remotely take over machines.
Microsoft Office is a mainstay on computers, whether PC or Mac. Yet Office has functionality that can be used maliciously if not kept current with the latest security patches. The macro features of Office are a primary target for exploit writers. Microsoft includes security and functionality patches with its regular Patch Tuesday (second Tuesday of the month) releases. You’ll also notice that Microsoft releases updated definitions to assist with Outlook’s spam filtering. When patching a Windows OS, it is very important to include any additional patch releases for Office or other Microsoft products.
There has been increased focus this year on the growth of web applications and web tools. There has been an increase in the use of Adobe’s Flash components, and with that growth, an increase in exploits against its code. Adobe has released multiple security patches in 2009 to address these threats. Yet notifying the general public of Flash updates is spotty. Another application with recent exploits from Adobe is Acrobat (Reader and Professional). Acrobat is used to open and/or edit PDF files. Similar to the Flash issues, Acrobat has suffered from malicious code being created and used publicly on the Internet and on company networks.
Two other applications that are present on many computers are Java and QuickTime. Java is a software platform used commonly with Internet applications and local to ASU computers. Within the last two years, Sun (the company that supports Java) has pushed out a large volume of Java updates and patches. Keeping up with all the changes can be challenging. Another issue with Java is applications being locked to a certain version. In some cases, a user will be forced to maintain an old, potentially vulnerable version of Java in order to keep other applications functional. If such a case exists, users should work with the application vendors and voice concerns on locking Java versions. QuickTime is a video/audio player from Apple. Many online videos use a QuickTime-formatted file such as .mov. As with the above applications, keeping up-to-date can be difficult and at times confusing, but it is important.
The primary risk being exploited with unpatched software applications is remote execution or arbitrary code execution. Wikipedia defines arbitrary code execution as “an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process.” In other words, the software flaw could allow someone to take over a computer. This could enable the attacker to run applications on the machine and use those tools to steal personal information, send spam from your computer, or use your computer in a distributed denial of service attack, in most cases, without your knowing.
How do you protect yourself from this array of applications and the real threat of vulnerabilities? The first step is being diligent in checking for application patches and fixes. Most applications come with an online update check process. When the application runs, a process will run in the background and check for updates. Check to see if your application configuration has this feature enabled. If an application does not include online update features, check with the vendor to see if there are mailing lists or other methods to keep you informed. If you are unsure, call the ITS Helpdesk at 706-737-1482 for further assistance.
Another option to assist in our application vulnerability checking is tools that scan our computer for out-of-date versions. One of those options is from Secunia called OSI (online), PSI (Personal-use), or CSI (Corporate-use). Depending on the version of the product, it will scan your computer and match software versions with its database. With Secunia, you can see which applications are fully patched, which are insecure, and which applications that have reached their end of life. The tool can provide a link to get the most current version, technical details on the product, and a link to community forums. This is one of multiple offerings in their realm of security products.
This article has shown that patching our operating system(s) is not the minimum standard to maintaining a secure computer. Application threats have grown recently for multiple reasons. Individuals should keep an inventory of the applications that are running on their computers. Use the automatic updating tools or a third-party vulnerability scanning tool to verify that your versions are up-to-date. By patching computer operating systems and applications, you will greatly reduce the risk of application issues and/or data losses.