Third-party apps ripe targets for cybercriminals, Secunia says

Third-party apps continued to be juicy targets for byte bandits in 2012, primarily because the programs are rife with vulnerabilities, according to a report by Copenhagen-based Secunia, a maker of vulnerability solutions. The main threat to end-point security for corporations and individuals is non-Microsoft applications.

In fact, the share of vulnerabilities attributed to non-Microsoft programs has jumped in the last five years, from 57% in 2007 to 86% in 2012, Secunia said.

That contrasts sharply with Microsoft's share of the vulnerability problem -- 5.5% in its operating systems and 8.5% in its software programs.

[See also: Google's Android app scanner falls short in security test]

While Microsoft used to be a popular target for Internet riff-raff, that's no longer the case. "We've seen an increase over the past 10 years in the focus of cybercriminals on third-party applications," William Melby, a senior account executive with Secunia, said in an interview.

There's at least two reasons for that, according to Wes Miller, a research analyst with Directions on Microsoft in Kirkland, Wash. "They're pervasive and they're not as diligent about how they design and patch their software," he said.

"Ironically, Windows was the target for the longest time because it was so ubiquitous and while it's still ubiquitous, I think the bad guys are looking for lower-hanging fruit now like Reader and Flash and Java and iTunes," he said. "All those things that are pseudo cross-platform -- at least for Mac and Windows -- become a tempting threat vector."

Microsoft is benefiting from investments it made in writing more secure code over the last decade, according to Stefan Frei, a research director at NSS Labs in Austin, Texas. "Microsoft vulnerabilities dropped drastically from 2011 to 2012," he said. "That's made successful exploitation of Microsoft's programs much, much harder."

While attention was focused on bolstering the security of Microsoft's products, little pressure has been exerted on third-party vendors to clean up their acts, he said. "When cybercriminals suddenly shifted their interest to third-party programs, those software makers were caught with their pants down."

Not only has Microsoft improved the quality of its software code, all of its products can be updated through a single process, Melby explained.

"Third-party updates are more complicated," he said. "You might have to reach out to 30 or 40 vendors to get updates."

Secunia researchers discovered more than 2,500 programs with more than 9,700 vulnerabilities in 2012, an average of four per product.

And while software makers appear to have been keeping pace with the vulnerabilities as they're found -- 84% of the vulnerabilities had fixes for them on the day they were revealed -- the patches aren't being applied in a timely way.

Traditionally, the focus of IT departments has been to keep Microsoft's software up to date and let third-party patches slide, Melby explained.

"It's not good enough to just to patch Microsoft applications anymore -- not with the number of vulnerable third party applications running on any given system," he said.

Read more about application security in CSOonline's Application Security section.

Tags MicrosoftGooglesoftwareapplicationssecuniaAccess control and authenticationData Protection | Application Securitythird-party applications

Show Comments