DNS: Internet Security

January 28, 2011

Biggest Source of Security Holes is Third-Party Software



Microsoft (News - Alert) typically gets the rap for security vulnerabilities discovered in its products, but it’s actually third-party applications that often give the biggest headaches to IT and security pros, according to a new report from security vendor Secunia.

The recently-released 2010 annual report from Secunia (News - Alert) found that 69 percent of the security holes discovered last year were from third-party vendors, some of which may not even offer reliable ways to patch their products. In the company’s official blog, Stefan Frei (News - Alert), Secunia’s Research Analyst Director, explained how the report crunched the overall numbers.

Fifty-five percent of the end users that Secunia tracked have more than 66 different programs from 22 vendors installed on their PCs. Looking at the top 50 applications used, 26 are from Microsoft, but the remaining 24 are from 14 other vendors. From a patching perspective, one single update process offered by Microsoft can fix 31 percent of the holes found in Windows and other products. But to patch the remaining 69 percent, IT pros need to use 13 different update systems.

Overall, Secunia found that the update processes offered by third party vendors are often too complex or aren’t fully automated, making them inaffective. As a result, third-party programs more often than not go unpatched.

The report does make a valid point. Microsoft is often seen the source of security holes. And the company certainly has contributed it share of flaws in Windows, Office, and Internet Explorer. But in response, it offers an organized and timely method of updating vulnerable software through its Windows Update process and its famous Patch Tuesdays. In contrast, some third-party software vendors don’t respond quickly enough with patches with vulnerabilities are found and force you to hunt for those patches, leaving your organization vulnerable in the meantime.

What’s the solution? Some companies offer software update programs that can scan the applications on a PC and alert you to any potential updates. Naturally, as the sponsor of the study, Secunia touts its own product called Personal Software Inspector (PSI). The free version of PSI is geared more toward home users to help them find the latest patches for the programs they run. Secunia does offer a corporate version of the software called Corporate Software Inspector (CSI (News - Alert)), but that one’s pricey depending on the size of your organization.

Other products that can help keep track of software updates include FileHippo’s Update Checker and KC Softwares’ Lite version of its Software Update Monitor. If you do try one of these products, I recommend setting up a test PC with all of the core software programs used in your organization. This way you can not only keep abreast of the latest updates but also test them before you deploy them to your end users.

But ultimately, I’d like to see a mechanism built into Windows that can monitor and update third-party software the same way that Microsoft’s own software can be updated. That would provide the same patching process to all software programs, both those from Microsoft and those from other vendors. That may be the only reliable way individual users and organizations can fully stay updated and protected against the latest security holes.

Want to learn more about the latest in communications technology? Then be sure to attend ITEXPO East 2011, taking place Feb 2-4, 2011, in Miami. ITEXPO (News - Alert) offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. To register, click here.


Edited by Jamie Epstein

blog comments powered by Disqus

Related DNS: Internet Security Articles



DNS
Twitter

FOLLOW THE DNS ZONE

FREE DNS eNewsletter

Click here to receive your targeted DNS Community eNewsletter.[Subscribe Now]

Latest DNS Industry News