We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Third-party apps ripe targets for cybercriminals, Secunia says

Third-party apps continued to be juicy targets for byte bandits in 2012, primarily because the programs are rife with vulnerabilities, according to a report by Copenhagen-based Secunia, a maker of vulnerability solutions. The main threat to end-point security for corporations and individuals is non-Microsoft applications.

In fact, the share of vulnerabilities attributed to non-Microsoft programs has jumped in the last five years, from 57% in 2007 to 86% in 2012, Secunia said.

That contrasts sharply with Microsoft's share of the vulnerability problem -- 5.5% in its operating systems and 8.5% in its software programs.

[See also: Google's Android app scanner falls short in security test]

While Microsoft used to be a popular target for Internet riff-raff, that's no longer the case. "We've seen an increase over the past 10 years in the focus of cybercriminals on third-party applications," William Melby, a senior account executive with Secunia, said in an interview.

There's at least two reasons for that, according to Wes Miller, a research analyst with Directions on Microsoft in Kirkland, Wash. "They're pervasive and they're not as diligent about how they design and patch their software," he said.

"Ironically, Windows was the target for the longest time because it was so ubiquitous and while it's still ubiquitous, I think the bad guys are looking for lower-hanging fruit now like Reader and Flash and Java and iTunes," he said. "All those things that are pseudo cross-platform -- at least for Mac and Windows -- become a tempting threat vector."

Microsoft is benefiting from investments it made in writing more secure code over the last decade, according to Stefan Frei, a research director at NSS Labs in Austin, Texas. "Microsoft vulnerabilities dropped drastically from 2011 to 2012," he said. "That's made successful exploitation of Microsoft's programs much, much harder."

While attention was focused on bolstering the security of Microsoft's products, little pressure has been exerted on third-party vendors to clean up their acts, he said. "When cybercriminals suddenly shifted their interest to third-party programs, those software makers were caught with their pants down."

Not only has Microsoft improved the quality of its software code, all of its products can be updated through a single process, Melby explained.

"Third-party updates are more complicated," he said. "You might have to reach out to 30 or 40 vendors to get updates."

Secunia researchers discovered more than 2,500 programs with more than 9,700 vulnerabilities in 2012, an average of four per product.

And while software makers appear to have been keeping pace with the vulnerabilities as they're found -- 84% of the vulnerabilities had fixes for them on the day they were revealed -- the patches aren't being applied in a timely way.

Traditionally, the focus of IT departments has been to keep Microsoft's software up to date and let third-party patches slide, Melby explained.

"It's not good enough to just to patch Microsoft applications anymore -- not with the number of vulnerable third party applications running on any given system," he said.

Read more about application security in CSOonline's Application Security section.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite