Security 2014: The holes are in the apps, not the operating systems

Yes, some operating systems are more secure than others. Some, such as OpenBSD, make a real point of protecting you from attackers. Others, such as Windows, have had a bad reputation, but have gotten better over the years. Still others, such as Linux and Mac OS X are known for being secure, but in Mac OS X's case, at least one major security flaw, the SSL goto bug, has seriously damaged its reputation.

Flash bugs:

Flash bundled in the browser: Who owns the bugs?

Read now

When all is said and done, however, the real security problems in the 20-teens, according to security firms FireEye and Secunia, are not in our operating systems but in the applications we run on them.

Secunia reports that in 2013 76 percent of security holes in the 50 most popular programs on private PCs in 2013 affected third-party programs. That said, Windows, Secunia reported, continued to be the most targeted operating system. Windows 7, the most popular version of Windows, was also the most popular with hackers. Looking ahead, Microsoft predicts that XP users, which will soon no longer be supported, risk facing "zero day forever" attacks.

Secunia also found that "there were significantly more vulnerabilities reported in Microsoft programs in 2013 — compared to the previous year. Microsoft's troubled application share went up from 8.4 percent to 15.9 percent. The actual vulnerability count in Microsoft programs was 192 in 2013; 128.6 percent higher than in 2012." Even so, the vast majority of malware attacks, 75.7 percent, come from third party applications.

Just how bad are these attacks? FireEye reported that in 2012 enterprises could expect to be attacked by malware once every three seconds. In 2013, attacks have gone up to once every 1.5 seconds. No, they're not kidding.

A Secunia study revealed that Web-browsers, and other Internet-connected programs, as you'd expect, are the source of most attacks. Web browsers, as always, are under near constant attack. There's a reason why Google and HP are offering more than $3-million in awards for hackers who can break the most popular browsers at Pwn2Home and Pwnium security conferences.

Specifically, FireEye research found that "during the first half of 2013, Java was the most common focus for attackers in developing zero-day attacks. One of the primary reasons is that exploit development against Java is much easier than for most other software. Operating system attack mitigation, designed to prevent the execution of arbitrary code, is often ineffective in preventing Java exploits because the attacker merely has to corrupt a 'pointer' to the Java Security Manager."

As the year went on, Java, while still constantly backed, became a less important target, "During the second half of 2013, FireEye researchers observed a burst of Internet Explorer (IE) zero-days used in "watering hole" attacks, in which an attacker compromises a key website that is frequented by specific interest groups — who are in fact the ultimate target (and victim if their browsers are vulnerable to the exploit). We believe these attacks were serious enough to make Internet Explorer the single most dangerous zero-day attack vector in 2013."

 The good news? "The majority of these attacks targeted older versions of IE, such as 7.0 and 8.0."

The bad news? FireEye "also saw a higher number of zero-days that targeted more recent versions of IE, as well as the employment of new techniques to bypass Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), which include leveraging Use After Free (UAF) and information leakage vulnerabilities. Unfortunately, this means that even newer versions of IE are likely not safe from attack, and that traditional security protections such as ASLR/DEP are also vulnerable."

And, of course, Adobe Acrobat and Flash were constantly exploited. For example, "Two recent attack campaigns—one targeting Adobe Flash and the other Adobe Reader — exploited critical sandbox vulnerabilities. A third campaign used a Windows XP Kernel vulnerability to escape the Adobe Reader sandbox. A fourth campaign embedded Flash exploits in Microsoft Office files to bypass sandboxes altogether, but its scope was therefore limited to users running Office 2008."

The one good thing about all this? Zero day attacks are becoming less common.  Secunia discovered "that 78.6 percent of vulnerabilities in all products, and 86.1 percent of vulnerabilities in products in the Top 50 portfolio have a patch available on the day of disclosure, represents a continued improvement in time-to-patch, particularly when taking a retrospective view of the last five years and the low of 61.6 percent recorded in 2010. The most likely explanation for the continuously good time-to-patch rate is that researchers are continuing to coordinate their vulnerability reports with vendors and vulnerability programs, resulting in immediate availability of patches for the majority of cases."

Of course, if you don't patch your programs as soon as possible that won't do you much good. Still, if you stay on top of your software updates you can be reasonably safe even on today's Internet. But, make no mistake about it, you must stay on top of it.

Related Stories:

• Adobe patches zero-day Flash flaw
• Flash bundled in the browser: Who owns the bugs?
• New Internet Explorer 10 zero-day exploit targets U.S. military
• 2013 most vulnerable systems & software: It's not just Internet Explorer
• More bugs, more bucks: Pwn2Own and Pwnium 2014