Asia's Source for Enterprise Network Knowledge

Wednesday, October 22nd, 2014

Information security management

Poor patching was 2009's biggest security threat

The biggest single threat to computer security is now the inability of PC users to patch their computers, Symantec's review of 2009 year has hinted.
 
According to the figures in Symantec's latest Internet Security Threat Report, last year saw a rise in malware volume, sophistication, automation and criminal opportunism in line with the sort of predictions one might have made based on the previous year's rises. In short, malware activity has never been higher.
But look below the headline 'shock and horror' statistics, and a more mundane but nevertheless interesting pattern emerges. After accounting for 11 percent of web-based attacks in 2008, PDF-based download exploits rose to account for 49 percent of such attacks. Internet Explorer was the second most attacked application, accounting for 18 percent of web-based attacks, down somewhat on 2008 but still at high levels.
 
To put this into perspective, two thirds of all web-based attacks - a type of attack that is the single most important in the criminal arsenal - can be related to only two applications. Incredibly, the Internet Explorer vulnerability in question is the Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness that first came to the world's attention in August 2003, and was patched the following July.
 
Browser exploits seem to be about criminal preference rather the absolute number of vulnerabilities reported, Symantec researchers note. Mozilla suffered the most reported vulnerabilities at 169, and yet it was Microsoft's Internet Explorer was attacked more despite suffering only 45 vulnerabilities.
 
Although 14 percent of the 374 vulnerabilities found in browsers in 2009 remain unpatched, a bigger problem appears to be the inability of users to apply patches even when they are available. Some systems appear never to be patched, which raises the question of whether merely reducing the time between a vulnerability becoming known and a patch appearing will on its own stem the tide.
 
On a slightly positive note, overall vulnerability numbers saw a decline from 5,491 in 2008 to 4,501 in 2009.