Companies patch OS holes, but biggest priority should be apps

Corporations appear to be much slower in patching their applications than their operating systems -- even though attackers are mainly targeting vulnerabilities in applications, according to a new report.

"Now we know which vulnerabilities are being patched and which are not," says Alan Paller, director of research at the SANS Institute.  

The report, "The Top Cyber Security Risks," is based on data collected between March and August and was a collaborative effort by SANS, TippingPoint and Qualys. The group analyzed six months of data related to online attacks, collected from 6,000 organizations using the TippingPoint intrusion-prevention system, along with data related to 100 million vulnerability scans of 9 million systems using the Qualys vulnerability assessment service.

The report shows that 80% of Microsoft operating system vulnerabilities are being patched within 60 days, but only 40% of applications, including Office and Adobe. Meanwhile, the majority of online attacks are aimed at applications, particularly client-side applications, making this the No. 1 priority named in the report.

During the six-month timeframe, more than 60% of all attack attempts monitored by TippingPoint were against Web applications in order to convert trusted Web sites into malicious sites serving up malware and attack code to vulnerable client-side applications. The main attack methods used against Web sites were SQL injection and cross-site scripting.

In terms of vulnerability and exploitation trends, popular methods include attempting to brute-force passwords by guessing, with Microsoft SQL, FTP and SSH Servers among the most popular targets.

Some of the main vulnerabilities being exploited include the malicious Apple QuickTime Image File download (CVE-20009-0007); Microsoft's WordPad and Office Text Converter Remote Code Execution Vulnerability (MS09-010); and multiple Sun Java vulnerabilities.

Zero-day vulnerabilities -- which occur when a flaw in software code is discovered and exploit code appears before a fix or patch for the flaw is available -- were popular in targeted attacks, according to the report. Six notable zero-day flaws in the past six months include:

* The Adobe Acrobat & Flash Player Remote Code Execution Vulnerability (CVE-2009-1862) 

* Microsoft Office Web Components, Active X Control Code Execution Vulnerability (CVE-2009-1136) 

* Microsoft Active Template Library Header data Remote Code Execution Vulnerability (CVE-2008-0015) 

* Microsoft Direct X DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2008-0015) 

* Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493) 

* Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)

The report concludes by pointing out that finding zero-day vulnerabilities seems to be getting easier as "a direct result of an overall increase in the number of people having skills to discover vulnerabilities worldwide."