Sue Marquette Poremba
The only time most of us think about the vulnerabilities in our computer software is when we’re asked to apply a patch. The flaws being fixed are usually too technical for the average computer user anyway, so we aren’t even sure how or what that patch is fixing. We rarely think about how long a software hole has been around.
The recent mass infection of Apple Macintosh computers by the Flashback Trojan may have changed our attitudes, especially regarding how long it should take to fix software vulnerabilities.
Flashback exploited a flaw in Oracle’s Java application environment, a self-contained mini-operating system that lets smaller applications run on any computer, whether PC, Mac or Linux.
The vulnerability was discovered in late January, and Oracle released an update for Windows and Linux in mid-February that patched it. Apple handles Java updates for Mac OS X, and by the middle of March, it had not released its own patch.
It was a fateful delay. The cyber criminals who control Flashback had been trying to infect Macs since September, mostly without success. They realized that all Macs running Java were still vulnerable, retooled Flashback to exploit the flaw and buried hidden links leading to the malware in countless unsuspecting websites.
By April 1, an estimated 600,000 Macs were infected with Flashback, the worst Mac malware outbreak in a generation. The next day, Apple patched the Java vulnerability.
Security experts were disappointed in Apple’s slow reaction, and with the company’s overall lag time in patching holes.
“I think [Apple] are 10 years behind Microsoft in terms of security,” Kaspersky Lab founder Eugene Kaspersky told Computer Business Review last month. “They will have to make changes in terms of the cycle of updates.”
“Some iOS attacks [on the iPhone platform] from the past took months to fix,” Jonathan Zdziarski, forensic scientists and author of “Hacking and Securing iOS Applications,” told SecurityNewsDaily. “The [iPhone] jailbreak community had fixes out for users before Apple did. That’s shameful.”
Apple’s not alone
Oracle has its own problems with delayed fixes. In late April, it was announced that Oracle was patching 88 vulnerabilities, but one of those vulnerabilities had been found and reported more than two years previously.
Josh Shaul, chief technology officer of Application Security, Inc., in New York, investigated theturnaround time on patching vulnerabilities Shaul’s team had reported to Oracle.
Over a five-year period, Shaul and his colleague had found 60 Oracle vulnerabilities. On average, it had taken 17 months for Oracle to come out with a fix.
“I’d like to see the turnaround times reduced down to around 90 days,” Shaul said.
Oracle did not respond to a request for comment.
Not every company will have the same average turnaround time. It’s hard to determine the industry average because turnaround delays are rarely reported.
“We know that some companies address security holes very quickly and release frequently — for example, the Google Chrome browser recently fixed a discovered vulnerability within 24 hours — whereas others take a slower approach,” said Wolfgang Kandek, chief technology officer at Redwood Shores, Calif.’s Qualys. “Companies factor in many aspects when looking at fixing a flaw, such as installed base, likelihood of attacks and complexity of the fix.”
Lots of reasons
The time lag can be a result of company complacency about malware. For years, Adobe’s applications, which include Photoshop, Illustrator and InDesign, were considered safe, if not foolproof. Back in the day, users didn’t need to worry about malware when they used Adobe.
Eventually, the cybercriminals began to focus on the “plug-ins” that let Web browsers use Adobe Flash Player and Reader files, and for a time, those were the most heavily exploited pieces of software. It took Adobe years to catch up.
Apple now finds itself where Adobe was a few years ago. Experts think that Apple’s response time, like Adobe’s, will eventually improve.
However, a quick fix isn’t always a good fix.
“Updating software reliably does not only mean fixing the problem,” Kandek said, “but also testing whether the fix plays well with other modifications included in the code, plus making sure that it does not break any functions of the software.”
Having a fix that works is important, but having the vulnerability on your computer affects how your system runs and who can control it. More often than not, the average computer user has no idea that a risk is there.
“The reality is, there are vulnerabilities in software with associated exploits that are not publicly known in many software packages,” said Ed Bellis, chief executive officer of Chicago-based security firm HoneyApps Risk I/O and former chief information security officer with online travel agency Orbitz. “Depending on the size of the deployment and the motivations of the attacker, the risks can be quite large or not affect the general computer user at all.
“Oftentimes, the general computer user is used as part of an attack against someone else, such as a botnet being used to attack a site through a distributed denial-of-service attack. This is a classic negative externality associated with security.”
For the general user who uses his machine for online shopping, social media, browsing for news and sending email, the risks of running a computer with unpatched vulnerabilities are very high, Kandek said.
“Cybercriminals are constantly looking for computers that they can attack and bring under their control,” Kandek said. “Once the attacker has control over the machine, he/she can install a logger program that will record keystrokes and actions looking for useful information, say, for example, the user’s login credentials to a banking site.
“Another program will look through the computer’s hard drive and search for personal information such as tax records, Social Security numbers, saved passwords and logins to websites.”
Steps to take
So what can you do to protect yourself from a vulnerability that a company is slow to fix? Shaul recommended uninstalling any program you don’t use.
“The only software that you can guarantee doesn’t leave you vulnerable is software you’re not running,” Shaul said.
Anti-virus software can be a big help, Shaul said.
“You may also consider switching to software with fewer published vulnerabilities,” he added, “or enduring the inconvenience of disabling browser and email features that are commonly exploited (such as Javascript).”
Users can also find out which vulnerabilities have been made public. There are a number of online databases a user can search, such as the National Vulnerability Database (http://nvd.nist.gov) or the OpenSource Vulnerability Database (http://www.osvdb.org).
To scan your system for known vulnerabilities, Qualys’ free BrowserCheck assesses your Web browsers, and Secunia’s free Personal Software Inspector will check all your applications to make sure they’re fully patched.
“Unfortunately, the current state of software makes keeping up with security a difficult task for the average user,” said Bellis. “If we as an industry are to make progress, security needs to be seamless to the end user and ‘just work.’ We have a long way to go and it’s going to require a lot of smart people to solve.”
