| By Robert Vamosi |
We’ve gotten good at updating our Windows and Office software — so good that criminals are looking elsewhere.
A new report suggests that patching your non-Microsoft applications might be just as important to a secure computing environment as keeping Windows and Office up to date — if not more.
Most vulnerabilities are in third-party products
As malware continues to evolve, keeping an eye on application updates is just as critical as maintaining security software. For years, that meant keeping your eye mostly on Microsoft. But with the regular monthly Patch Tuesday Windows security updates and Windows 7’s underlying security improvements, Windows and Office are no longer the attractive targets for cyber criminals they once were.
According to security vendor Secunia (site), the primary threats to PCs have shifted to third-party applications distributed by software developers large and small. In its 2011 annual report (free registration required) on the changes in computing security, Secunia found that from 2006 through 2011, its end-point vulnerabilities count tripled, to over 800. (Secunia defines end points as “the access points to all business-critical data, and are therefore lucrative targets for cybercriminals.”)
The report states that “A majority of these (79 percent), were found in third-party (non-Microsoft) programs.” It concludes that securing only “the operating system and Microsoft programs leaves end-points at considerable risk.”
The authors of the report looked at vulnerabilities that had either received a Common Vulnerabilities and Exposure (more info) designation from the MITRE Corporation or been noted by Secunia as valid vulnerabilities. The report does not weigh in on the time software vendors took to patch these vulnerabilities. But it does state that “programs with low market share are also at risk” for vulnerabilities. (The “low-hanging fruit” theory for malware implies that cyber criminals go after the most popular applications because that will give the best returns.) So if you’re not updating all the software on your PC, then your risk for getting malware might be getting worse, not better.
Vulnerabilities don’t necessarily become malware
It must be noted that not all software vulnerabilities lead to exploits that become malware. First, there’s the problem of actually exploiting the vulnerability. In some cases, taking advantage of a vulnerability can occur only under rare circumstances. In other cases, an exploit requires user interaction. Some exploits don’t make it to full malware status because there’s no practical way to propagate them.