Monday, October 3, 2011

99.8% of Commercial Exploits caused by failure to patch


According to Danish security company CSIS, most Windows infections by commercial malware are the result of failure to patch a few vulnerable apps:  Java JRE (37%), Adobe Reader/Acrobat (32%), Adobe Flash (16%), Internet Explorer (10%), Windows Help (3%), and Apple Quicktime (2%).  MSIE and Windows Help are patched automatically by Windows Update (which home users should have enabled and which business sysadmins should be managing), but the other applications all need to be updated separately.

That said, I do NOT enable automatic patching of those applications on my business systems for several reasons.  First, patches have been known to break things, and an automatically-applied patch that shuts down tens or hundreds of computers on a business network can be very expensive in downtime.  Second, the malware authors have taken advantage of automatic-patching prompts by simulating them (see notes 1 and 2 below).  Home and small-business users should use the Secunia Online Software Inspector to scan their systems to see what needs patching and then patch.  Secunia also offers the Secunia Personal Software Inspector (PSI) (for home users only), but since this monitors your system and reports back to Secunia, for privacy reasons I do not recommend using it.

As of this blog post, Java JRE is at version 6.0.27 (a.k.a. 6u27), Adobe Reader at 9.4.6 or 10.1.1 (8.3.1 is also safe, but ARv8.x will not be patched after next month), Adobe Flash Player is at (both for IE and Firefox), and Apple QuickTime is at version 7.70.80.  Subscribe to this blog page or check back here frequently as I will be posting the latest version numbers of these apps every time they're updated.

Java, Adobe vulns blamed for Windows malware mayhem • The Register
"99.8 per cent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages"
  1. Flashback Mac Trojan poses as Adobe Flash update, opens backdoor | Naked Security
  2. Fake Java Update uses your PC in DDoS Offensive - MalwareCity : Computer Security Blog
    Updated Mon 03 Oct 2011 09:46 MST: correct Adobe version from 10.0.1 to 10.1.1

No comments: