Application Vulnerabilities? Put Your Computer on the Emsisoft Diet

vulnerableYou are what you eat.  The same goes for your computer.  Feed it junk and it will start to decay.  Feed it its fruits and vegetables, along with a low-impact anti-malware and you can bet it will have a long life ahead.  Unless of course you spill soda on the keyboard.

By now it’s pretty obvious that the Internet is riddled with all sorts of third-party freeware and that downloading too much of it is like eating pizza topped with bacon.  Yes, it tastes good.  Damn good.  But eventually, it’s going to slow you down.  Most of us have known this about computers for some time, and those of us interested in computer longevity remain stalwart against over consumption.

A new study from Denmark-based Secunia Security has brought attention to an oft overlooked component of computer health, however.  It’s not over consumption, but rather vulnerability, stemming from the world’s most popular applications.

Vulnerabilities Defined

Another mantra to consider: You are only as strong as your weakest link.  When it comes to computer security, this one pretty much nails it on the head.  You probably fill your computer with applications – legitimate tools – that are known and trusted.  You do this because they work well and some of them even taste pretty good; but, beneath the surface, many of these tools have vulnerabilities that are just waiting to be exploited.

A vulnerability is a kink – something like an Achilles heel.  It’s a small chunk of incorrectly written code that, if identified by an attacker, could completely compromise your system’s security.  Think of it this way: an application is just a set of instructions that tells your computer to perform certain tasks.  If that set of instructions is vulnerable, it means that it can be altered to make your computer do malicious things or to allow an attacker to access your files.  Vulnerabilities are actually quite common, because the most popular and powerful computer applications contain sprawling amounts of code.  This code changes with each new version released to provide new functionalities but also new opportunities for a vulnerability to arise.

The more popular an application, the more likely it is to be targeted by an attacker.  If, for example, an attacker can identify and exploit a vulnerability within an application used by 50% of the world’s computers…well, that attacker stands to infect and profit of off a whole lot of computers – at least until the vulnerability is patched.  A patch is a chunk of code that repairs an application’s vulnerability.  Patches are released: a) to prevent an attack when a company identifies a vulnerability on its own and b) to remediate an attack when a hacker finds a vulnerability first.  B) is called a zero-day, and it is much, much worse.

The 2014 Secunia Vulnerability Review

As you might imagine, vulnerabilities are a big deal.  Most major software developers automatically patch and update their products on a continual basis, but no system is perfect.  As such, Secunia Security develops a product called Secunia Personal Software Inspector (PSI) designed to detect vulnerable and outdated applications automatically.

PSI does a good job of keeping users up to date, so long as patches exist.  Since it is in widespread use, the software also allows Secunia to conduct studies on the nature of application vulnerabilities.  The most recent study presents key findings from 2013, but also evaluates trends from the last 5 years.

Secunia Vulnerability Review Findings

2014’s report is the result of scanning millions of private computers running Secunia PSI.  The aggregated data was anonymized and used to assess vulnerabilities on the average user’s computer.

Secunia found that in 2013:

  • The average computer had 75 programs installed on it.
  • 50 of these programs (the “Top 50”) were common to all users; 33 were Microsoft products; 17 were third-party products.
  • Third-party products contained 75.7% of the vulnerabilities found within the “Top 50” programs; Microsoft products were responsible for the remaining 24.3%.

Secunia also found that in 2013:

  • 86.1% of vulnerabilities within the “Top 50” programs had a patch available on the day of disclosure.
  • Internet Explorer – holding 99% of the web browser market share – had 126 vulnerabilities and 12% of users running unpatched versions of the software.
  • Adobe Reader – holding 91% of the PDF reader market share – had 67 vulnerabilities and 31% of users running unpatched versions of the software.
  • Windows 8 had a total of 1261 vulnerabilities; 55 of these came from Internet Explorer integrated with Adobe Flash.

Important Conclusions

Third-party programs are the most vulnerable. Over the last 5 years these programs have comprised the minority of Top 50 programs, but are still responsible for approximately 75% of all observed vulnerabilities.  Top offenders include products from Adobe, Oracle, Mozilla, and Google.

13.9% of vulnerabilities in 2013’s Top 50 programs went unpatched for over a day. The good news is that this number has decreased over the last 5 years.  The bad news is that even the most stringent patch management will not completely protect your computer.  A user or administrator may indeed identify a vulnerability the day it is announced, but if a patch has yet to be released their computer(s) will still be vulnerable.

A Recipe for Vulnerability Protection: The Emsisoft Diet

In reality, nobody has the time to monitor all of their computer’s applications for vulnerabilities.  Kind of like nobody has the willpower to eat nothing but hard-boiled eggs and grapefruit for breakfast, lunch, and dinner, every single day.  Studies like Secunia’s reveal that computer security reality is far from ideal, but they do not imply user powerlessness.  There are actually a number of things you can do to protect yourself from application vulnerabilities.

  1. If you don’t need it, take it off your computer – because if you are not using it, chances are very high that it is not up to date.
  2. If you do need it, keep it updated.  Microsoft products usually update automatically or at least let you know that updates are available.  Third-party products aren’t always so automated, and might require you to check in at the company’s official website.  Emsisoft works hard to notify our users of most major vulnerabilities through our blog.
  3. Consider using a vulnerability monitor, like Secunia PSI.
  4. Combine items 1-3 with Emsisoft Anti-Malware, and enjoy.  In the event your computer falls prey to an application vulnerability, Emsisoft Anti-Malware will prevent the attack from running to completion using Behavior Blocking technology.

With proper maintenance, your computer can last for many years.  Most users are aware of the fact that too many applications can negatively impact computer performance, but Secunia’s study serves as an important reminder that everyday tools can negatively impact your personal security.  There is a big difference between a sluggish PC that won’t stream your favorite videos and an infected PC that streams videos of your daily activity to hackers with malicious intent.  Here at Emsisoft, we try to prevent both.

So keep an eye on those third-party applications, eat your vegetables, and Have a Great (Malware-Free) Day!

About Secunia

Secunia is recognized industry-wide as a pioneer and global player within the IT security ecosystem, in the niche of Vulnerability Management. They equip corporate and private customers worldwide with Vulnerability Intelligence, Vulnerability Assessment, and automated Patch Management tools to manage and control vulnerabilities across their networks and endpoints.

Full report available for download at:
http://secunia.com/vulnerability-review/

Have a Great (Malware-Free) Day!