Programs in Peril

Popular apps have more security flaws than Windows does.
Andrew Sullivan
From the March 2006 issue of PC World magazine
Posted Monday, January 30, 2006
source: http://www.pcworld.com/resource/prin...,124510,00.asp


With a spiking number of security flaws, the programs you run every day are now a more enticing hacker target than your operating system.

The Windows OS has become battle-hardened over years of trial by fire, enduring relentless hacker attacks. Although sometimes-critical flaws continue to surface, security patches applied via automatic updates have made Windows a tougher nut to crack.

If hackers were still just kids out to cause trouble and make a name for themselves, this might be enough to divert them to less destructive pursuits. But these days money, not mayhem, motivates a determined core of Internet attackers. (See the exclusive PCWorld.com series "Web of Crime" for more on this new and unsettling trend.)

These hackers are looking for easier ways to break into your computer--and they're finding your applications.


Porous Programs
It could be your antivirus application that leaves you exposed to online threats. It could be the media player software that opens the door to your unsuspecting PC. Even playing a CD on your computer could prove dangerous, should the disc contain slipshod anticopying software.

And Mac users, wipe that smug look off your faces: Because these security flaws are found in applications rather than operating systems, you are at risk as well.

Desktop programs such as iTunes, RealPlayer, and even the security-conscious Firefox now account for more than 60 percent of serious vulnerabilities, according to the British security firm Qualys. See the chart "Keep an Eye on These Apps" for a tally of flaws in popular applications.

The trend has offset years of painstaking progress in improving Internet security, says Allan Paller of the SANS Institute, a Maryland cybersecurity research organization. "We're back to where we were six years ago," he warns.

Windows remains a popular hacker target simply because it's so prevalent on both consumer and corporate computers, and new, sometimes critical vulnerabilities still surface on a regular basis. One recent major Windows flaw involving .wmf image file handling could have given attackers remote control of your machine (Microsoft quickly released a patch, however).

Despite new holes, though, Microsoft products are still notably more secure than they used to be, according to John Pescatore, a security analyst at Gartner Research. The majority of security risks now surface in everyday apps like Web browsers, media players, and even must-have antivirus applications, according to SANS's recent report, "The Twenty Most Critical Internet Security Vulnerabilities."

Browse With Care
Web browsers appear to be the most vulnerable applications today, drawing dozens of security warnings from the research firm Secunia. Compounding their flaws are problems afflicting the programs responsible for much of the Web's back end, including domain-name servers and the PHP scripting language that runs many discussion boards. A well-crafted attack could, for example, "poison" domain-name servers to redirect visitors from a legitimate Web site to a thieving phony site that takes advantage of browser holes to surreptitiously install malicious code on the users' computers.

Other browser vulnerabilities could allow Internet thugs to manipulate dialog boxes, for instance, so users might think that they're responding to an important system message when they're actually downloading malicious code.

Microsoft has blurred the line between Internet Explorer and the rest of Windows. Whether it's a deep-down part of the operating system or a distinct application, the dominant browser still has the most potential pitfalls. However, security holes in alternative programs such as Mozilla Firefox and Opera make them targets as well. Both IE competitors tend to fix new-found holes with quickly released patches, but remember: If you don't keep up with the updates, you're in danger.


Music to Hackers' Ears
Browser holes are like bull's-eyes for hackers, because most everyone surfs the Web. But those ubiquitous programs aren't the only popular applications to suffer from security risks. iTunes, RealPlayer, and other media players have multiple failings as well. Attackers could disguise their malicious code to look like a digital song or movie file, researchers say, or they could simply force the hapless media player to choke on an overly long Web address in order to take control of a vulnerable computer.

For the time being, however, flaws in media players are mostly a theoretical threat. Researchers have found viruses masquerading as MP3 files but have yet to put their finger on a serious attack against player programs. Don't wait for disaster to strike, though: If your media player has been alerting you about an available update, get it. Or check the software's version yourself (under the Help menu, usually) if your player doesn't give you a heads-up. Reducing the threat by uninstalling media players you don't use regularly is also a good idea.

Even must-have antivirus programs suffer from flaws. The number of vulnerabilities in antivirus and other security software is increasing at a faster rate than for Windows, according to a 2005 Yankee Group report that looked at government statistics.

While most every antivirus program updates itself quickly to close any newly discovered holes, an old antivirus utility can be worse than useless, SANS's Paller says.

Threat: Old Antivirus Apps
"The problem is, a lot of people get a free version of those things, and they don't subscribe," Paller explains. "They install it on their computer and think they're okay, and then they're dead--what looks like a nice gift of a free antivirus tool becomes a threat," he says.

If your subscription has run out, upgrade to the latest version of the application, resubscribe to another year of updates, or shop around for a new program. No-cost alternatives include AVG Free and Avast Home Edition. We put these and eight other antivirus utilities to the test in "The New Virus Fighters."

One threat that didn't make the SANS list was Sony BMG's clumsy attempt to prevent its songs from being distributed over peer-to-peer networks. Malicious software writers quickly developed a worm that exploited a file-hiding "rootkit" in the third-party copy-protection software used on 49 of Sony BMG's CD titles.

So what to do? Though new vulnerabilities pop up seemingly every day, the oldest ones still present the greatest threat, Gartner's Pescatore says. Taking even the most basic security precautions--namely, keeping your Web browser and your antivirus software up-to-date--can keep you ahead of the game.


Empty Advice?
Paller is less optimistic about the situation. Most Internet users have things other than online security on their minds, and the boilerplate advice dished out by well-intentioned advocates doesn't help much, he says.

"I think words like 'Be diligent' are stupid. I don't think people are diligent," he explains, "[and it's] because they're busy. So I think they're just going to have a lot of machines taken over and used and filled with spyware."

The situation won't change until consumers pressure software makers to place a greater emphasis on security, Paller adds. That's already happening in the corporate world, as buyers are writing security requirements into big contracts. On the consumer front, the success of products like Firefox that concentrate on security could inspire other vendors to step up their game.

Paller believes that a heavyweight such as Microsoft will eventually find a way to bundle software updates from other vendors along with its own--a scenario that might make life easier for users but could upset rivals already concerned about Microsoft's dominance.

The most recent list of the top 20 Internet vulnerabilities from computer security research organization SANS highlighted a disturbing development: There are now more known security holes in desktop applications than in the Windows operating system.

Here's a selection of programs from that report, with the number of total vulnerabilities (patched and unpatched) for each app as listed by Secunia, another research firm.

Five Tips for Securing Your Programs
Here's how to stay safe and keep your applications up-to-date without spending the time to become an IT expert.

Turn on automatic updates: If a program supports this crucial feature, enable it. Windows Update takes care of patching Internet Explorer, and Firefox 1.5 has its own automatic update. You should have the program ask you before it applies the change, though, just to stay on top of what's going on with your computer.

Lock down IE: Update your browser settings for maximum security. Select Tools, Internet Options, click on the Security tab, and choose Custom Level for the Internet zone. Disable ActiveX controls, set Java permissions to high, and disable 'access to data sources across domains'. Also disallow 'paste operations via script'.

Try a third-party service: VersionTracker's Web site lists available patches for a wide range of applications on PCs, Macs, and even Palms. For $30 you can download VersionTracker Pro, which scans your installed programs and provides easy patch downloads for out-of-date apps. BigFix offers a free consumer program that looks for application flaws and other vulnerabilities

Stay informed: Get the latest security news and analysis delivered to your electronic doorstep by subscribing to an RSS feed from antivirus software maker Kaspersky or from Internet security company Sophos.

Do it yourself: Set a once-a-month calendar reminder to check for updates from within the program (if it allows that) or to look for patches at the maker's Web site. It's worth the nagging.

__________________

Hmm, I read though that, and whilst I guess it's true that other popular commercial applications are just as riddled with flaws as window/IE has been, it misses the fundemental point, that hackers looking to take over computers for commerical gain (e.g. to install spyware or to remotely spam etc) will use whatever exploit has the largest market which is best use of their time, so we're still talking windows and IE here.
Hackers in a purer sense (e.g. someone who will go one on one to try and take over a persons computer system) will of course turn to flaws in the less universal applications, let's assume their target is more than just a casual computer user.
And unless you're insanely good at internet security, you cannot stop a determined enough person in those circumstances IMO.