Security 2014: The holes are in the apps, not the operating systems

Security 2014: The holes are in the apps, not the operating systems

Summary: Security firms FireEye and Secunia say Windows continues to be the most-targeted OS and businesses can expect to be attacked by malware once every 1.5 seconds.

TOPICS: Security, PCs, Windows

Yes, some operating systems are more secure than others. Some, such as OpenBSD, make a real point of protecting you from attackers. Others, such as Windows, have had a bad reputation, but have gotten better over the years. Still others, such as Linux and Mac OS X are known for being secure, but in Mac OS X's case, at least one major security flaw, the SSL goto bug, has seriously damaged its reputation.

When all is said and done, however, the real security problems in the 20-teens, according to security firms FireEye and Secunia, are not in our operating systems but in the applications we run on them.

Secunia reports that in 2013 76 percent of security holes in the 50 most popular programs on private PCs in 2013 affected third-party programs. That said, Windows, Secunia reported, continued to be the most targeted operating system. Windows 7, the most popular version of Windows, was also the most popular with hackers. Looking ahead, Microsoft predicts that XP users, which will soon no longer be supported, risk facing "zero day forever" attacks.

Secunia also found that "there were significantly more vulnerabilities reported in Microsoft programs in 2013 — compared to the previous year. Microsoft's troubled application share went up from 8.4 percent to 15.9 percent. The actual vulnerability count in Microsoft programs was 192 in 2013; 128.6 percent higher than in 2012." Even so, the vast majority of malware attacks, 75.7 percent, come from third party applications.

Just how bad are these attacks? FireEye reported that in 2012 enterprises could expect to be attacked by malware once every three seconds. In 2013, attacks have gone up to once every 1.5 seconds. No, they're not kidding.

A Secunia study revealed that Web-browsers, and other Internet-connected programs, as you'd expect, are the source of most attacks. Web browsers, as always, are under near constant attack. There's a reason why Google and HP are offering more than $3-million in awards for hackers who can break the most popular browsers at Pwn2Home and Pwnium security conferences.

Specifically, FireEye research found that "during the first half of 2013, Java was the most common focus for attackers in developing zero-day attacks. One of the primary reasons is that exploit development against Java is much easier than for most other software. Operating system attack mitigation, designed to prevent the execution of arbitrary code, is often ineffective in preventing Java exploits because the attacker merely has to corrupt a 'pointer' to the Java Security Manager."

As the year went on, Java, while still constantly backed, became a less important target, "During the second half of 2013, FireEye researchers observed a burst of Internet Explorer (IE) zero-days used in "watering hole" attacks, in which an attacker compromises a key website that is frequented by specific interest groups — who are in fact the ultimate target (and victim if their browsers are vulnerable to the exploit). We believe these attacks were serious enough to make Internet Explorer the single most dangerous zero-day attack vector in 2013."

 The good news? "The majority of these attacks targeted older versions of IE, such as 7.0 and 8.0."

The bad news? FireEye "also saw a higher number of zero-days that targeted more recent versions of IE, as well as the employment of new techniques to bypass Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), which include leveraging Use After Free (UAF) and information leakage vulnerabilities. Unfortunately, this means that even newer versions of IE are likely not safe from attack, and that traditional security protections such as ASLR/DEP are also vulnerable."

And, of course, Adobe Acrobat and Flash were constantly exploited. For example, "Two recent attack campaigns—one targeting Adobe Flash and the other Adobe Reader — exploited critical sandbox vulnerabilities. A third campaign used a Windows XP Kernel vulnerability to escape the Adobe Reader sandbox. A fourth campaign embedded Flash exploits in Microsoft Office files to bypass sandboxes altogether, but its scope was therefore limited to users running Office 2008."

The one good thing about all this? Zero day attacks are becoming less common.  Secunia discovered "that 78.6 percent of vulnerabilities in all products, and 86.1 percent of vulnerabilities in products in the Top 50 portfolio have a patch available on the day of disclosure, represents a continued improvement in time-to-patch, particularly when taking a retrospective view of the last five years and the low of 61.6 percent recorded in 2010. The most likely explanation for the continuously good time-to-patch rate is that researchers are continuing to coordinate their vulnerability reports with vendors and vulnerability programs, resulting in immediate availability of patches for the majority of cases."

Of course, if you don't patch your programs as soon as possible that won't do you much good. Still, if you stay on top of your software updates you can be reasonably safe even on today's Internet. But, make no mistake about it, you must stay on top of it.

Related Stories:



Topics: Security, PCs, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What?

    No, operating system security issues are systemic and can effect many apps at once. The latest Apple SSL bug proved that. Of course apps could contain malware, but operating system bugs are the most dangerous when exploited because there not caught by malware scanners.
    Sean Foley
    • Even the Apple SSL bug is in an application.

      Easily removed.
    • Depends on the scanner

      Some of the best scanners use reputation of the file, script, etc via a hash. Also if a known file does not match its hash when it tries to execute, its blocked. There is also heuristics that monitor behaviours. If a app or script gets past the defs check, rep check, and runs, if it starts doing things that are malware like, its blocked.

      But I think that was the comment on the zero day as the updates come out within 24 hours of an exploit. Major AV companies are working closer with the OS vendors in that if the vendor does not have a fix fast enough, the AV guys put in a block till they do.
      Rann Xeroxx
      • No malware after i moved from Windows to Linux

        My computing became safe when i finally realized that Windows is not secure OS. It was a good move because since that day i haven't invest a single a cent to get this stable, secure, fast and decent system to my computer. Linux and open source software are really one the best things in the world.
        • With this one sentence you've demonstrated...

          "My computing became safe when i finally realized that Windows is not secure OS."

          ...your lack of knowledge on this subject. I suggest you refrain from any further comment thus be confirmed the fool we suspect you are.
  • Security 2014: The holes are in the apps, not the operating systems

    Do security firms FireEye and Secunia consider the open telnet port in linux part of the OS or an app? Overall I'm finding Microsoft Windows to be one of the most secure operating systems far surpassing that of linux. With the monthly patches most issues get resolved in a short amount of time. Now the 3rd party apps on the other hand still allow some risks but that can easily be resolved by setting the proper rights. Hackers are going to go for other platforms because with Microsoft Windows getting more secure each month they won't have a way to get in.
    • There is no open telnet port on Linux

      not that this in and of itself represents a vulnerability. Some distros don't even ship with a telnet server any more.... you have to install it.

      Most Windows enterprise systems have terminal server enabled... and for good reason. It is a feature, not a problem.
      • You fell for this?

        • Its iconic ...

          Loverock and his "open telnet port" are legendary. He just loves to play this game and see how many buttons he can push. Its just good clean entertainment Loverock style. Enjoy!
          George Mitchell
          • Yes, but LD should come up with some new material

            LD is not the most amusing poster anymore with just the same old jokes... Being a low credibility poster isn't funny by itself; new jokes are required.
          • no respect

            LD gets no respect, no respect I tell you... why once there was an open telnet port and another time somebody compiled the Linux kernel...

            Now take my wife, please ...

            no really these must be an echo in here do I hear an open telnet port?
          • He is a bit of an idiot.

            Even Windows has a telnet service...

          • Telnet Client, Windows 7

    • "Hackers are going to go for other platforms"

      Yeah, right... Hackers will just give up, because windows is such an unbreakable platform.

      "You just can't make this stuff up", as TB3 used to write.
    • "Ladas are the best cars ever."

      From a person that has only ever driven a Lada is the same as LD saying Windows is the most secure OS.
    • Once again

      Loverock opens telnet port and inserts head.
    • Linux is as secure as you make it

      Depending on your distro and your update platform on Linux, its about as secure or unsecure as Windows or OSX. Microsoft has actually done a great job in the past few years catching up but make no mistake, it was a catch up.

      On the consumer side, I think OSX is most secure, maybe followed by Windows than Linux. This has nothing to do with the build but how the default setup manages the OS. OSX is tight by default, Windows 8.1 has become more tight, most Linux distros seem to expect you to know what your doing to make your install as secure or usage as you need it to be.

      JMHO and experience. No facts in the above statements.
      Rann Xeroxx
      • Like you said "No Facts"

        Take a look at the link and see where you are incorrect about the order of secure or unsecure OSes.
  • Java, Flash, or Acrobat?

    Hard to say which is the worst.
    • Ha, lets make it worse...

      We had to lock down Acrobat Reader because it was allowing Java vulnerabilities in. Its like Dumb and Dumber together.
      Rann Xeroxx