Third-Party Programs, Not Microsoft, Harbor Majority of Security Bugs
It's long been thought that cybercriminals exploit people most successfully by targeting Microsoft programs on Windows PCs, but according to a new report by the security firm Secunia, it's actually third-party programs that are the criminals' most popular targets.
"The programs that an organization perceives as top priorities to patch, as opposed to the programs that cybercriminals target, are often vastly different," Stefan Frei, Secunia research analyst director, said in the company's 2011 yearly report, issued Feb. 14.
This perception gap is a serious problem, Frei added.
Microsoft software bugs accounted for only 10 percent of all security vulnerabilities, while 12 percent of computer flaws lurked in operating systems, Secunia noted. That left third-party programs — ones that companies tend to be the least vigilant about — responsible for 78 percent of all vulnerabilities in 2011.
"A typical corporate infrastructure contains layers of programs that organizations (a) consider business-critical, (b) know about, and (c) don’t know about. Many organizations will focus on patching the top layer — business-critical programs — only," Frei wrote.
"Cybercriminals," Frei added, "will target all programs."
To increase their defenses, Secunia researchers said, businesses should streamline their networks, reducing the amount of third-party programs and thus reducing the number of update mechanisms needed to keep the end-point secure.
Having a quick response plan in place is crucial as well, Frei said.
"For an organization with over 600 programs installed in their network, more than 50 percent of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa. Therefore, identification of all installed programs and an agile, dynamic patching strategy is the key to knowing the risks faced and successfully tackling vulnerabilities."
Even if you're not responsible for the security of a team of employees, and you're simply using your personal computer, Secunia's report resonates in one very notable way. Seventy-two percent of all vulnerabilities had patches available the day the flaws were disclosed, Secunia said. So if your computer prompts you to update software, do it, and regularly check if software upgrades are available.