Application Vulnerabilities

Applications: the weak link

Vulnerabilities in applications tend to exceed those in operating systems (OS) and application patching is much slower than OS patching. Subhankar Kundu examines the contributing factors behind these facts and the initiatives taken to address this issue

Vulnerabilities in popular applications such as Flash, Java Runtime, Microsoft Office, Adobe Acrobat etc. exceed operating system (OS) vulnerabilities and even the rate at which application patching is undertaken is much slower than that of OS patching.

Over the past few years, the number of vulnerabilities discovered in applications has been far greater than those discovered in operating systems resulting in an increase in the number of exploitation attempts on application programs. The popular applications susceptible to exploitation tend to change over time. The reason for this is that the underlying principle to target a particular application often depends on factors such as ineffective patching.

Vulnerabilities are weaknesses in software that allow an attacker to compromise the integrity, availability, or confidentiality of that software. Some of the worst vulnerabilities allow attackers to run arbitrary code on a compromised computer. The Microsoft Security Intelligence Report (SIR) shows that the vast majority of vulnerabilities being exploited are in applications, as opposed to the browser or OS. Total unique vulnerability disclosures across the industry decreased sharply in 1H09, down 28.4% from 2H08. According to the same report, while application vulnerabilities were down from 2H08, operating system vulnerabilities were roughly consistent with the previous period, and browser vulnerabilities actually increased slightly.

It is not always easy to answer what is the reason behind the fact that application vulnerabilities outnumber OS vulnerabilities that were discovered last year. In part, this could be because OS vendors, Microsoft for e.g., have made efforts to make their operating systems more secure.

Let’s try to examine the cause for such disparity between the number of vulnerabilities discovered last year in applications and those found in operating systems.

Why is it so?

The number of vulnerabilities identified in a software product depends not only on the quality of the software code, but also on the amount of security testing applied by external parties. Popular and widely deployed software typically gets the most attention from security testers and therefore it is not surprising that these products have more software vulnerabilities reported against them.

Sandeep Mehrotra, Country Head - Sales, Adobe Systems India, said, “The majority of attacks that Adobe is seeing exploit software installations that are not up-to-date with the latest security updates. Getting a patch out the door is only the first step; making sure that these patches are applied is the real measure to help customers defend themselves against new threats. Adobe strongly recommends that users follow security best practices by installing the latest security updates as the best possible defense against those with malicious intent.”

There are certain applications, primarily client applications, which are easy targets for attackers because of their ubiquity and cross-platform reach that allow the attacker to use an exploit against the largest possible user base.

Vishal Dhupar, Managing Director, Symantec India, said, “Users are more likely to keep their operating system patched rather than every single one of the several applications that they run today. However, even a fully patched OS cannot stop infections if application vulnerabilities are exploited. Furthermore, with the thousands of applications that are used every day, cyber criminals have several avenues to exploit, rather than depending on popular operating systems whose vendors are quick to identify and resolve vulnerabilities.”

Pallavi Kathuria, Director, Server Business Group, Microsoft India, said, “The Security Development Lifecycle (SDL) infuses security into each phase of development to protect customers by creating software that is less vulnerable and more resilient to malicious attacks. Most software organizations—and this included Microsoft before it embarked upon Trustworthy Computing —deal with security in the testing and release phase, long after security flaws have been programmed into an application. The Microsoft SDL prescribes security activities in each stage of the development process. The goal is dual: eliminate as many vulnerabilities as is practical and reduce the severity of the vulnerabilities that slip through.”

For example, infection rates of Windows Vista were significantly lower than those of Windows XP in all configurations in 1H09 and the infection rate of Windows Vista SP1 was 61.9% less than Windows XP SP3. Comparing RTM versions; the infection rate of Windows Vista was 85.3% less than that of Windows XP. The infection rate of Windows Server 2008 RTM was 52.6% less than that of Windows Server 2003 SP2.

Kathuria added, “The higher the service pack level, the lower the rate of infection. Service packs include all previously released security updates at the time of issue. They can also include additional security features, mitigations, or changes to default settings to protect users. Users who install service packs may generally maintain their computers better than users who do not install them and may also be more cautious in the way that they browse the Internet, open attachments, and engage in other activities that can open computers to attack.”

Server versions of Windows typically display a lower infection rate on average than client versions. Servers tend to have a lower effective attack surface than computers running client operating systems because they are more likely to be used under controlled conditions by trained administrators and to be protected by one or more layers of security.

The majority of enterprises standardize on one or two operating systems in line with various applications. As the organization matures from a small to medium to a large business, the number of applications increases dramatically with ERP, CRM, BI, RDBMS, messaging and collaborative platforms to address the needs of each of the stakeholders, custom applications in manufacturing or design and development, backup, archival, DR, etc. Also large scale updation on the OS front happens primarily during the rollout of new versions but with other applications it is an ongoing development with enhancements in features and functionalities. Hence, it’s natural to find more vulnerabilities on the application side in an enterprise as compared to in the OS.

Altaf Halde, Country Director, Sophos, India, said, “Ever since the security push before the release of Windows XP SP2, with every new major version and service pack, Windows developers introduced new and better security features like DEP, ASLR, kernel patch protection, UAC and service hardening to prevent simple exploitation of the operating system. Operating system exploitation on a big scale happens less and less frequently and the last major attack was that of the Conficker worm in December 2008 (exploiting MS08-067).”

Companies sometimes fail to patch enterprise software systems (databases etc.) leaving them ripe for attack as happened in the case of the Slammer worm where SQL Server was left unpatched, although Microsoft had issued a patch, leading to an epidemic.

Mehrotra said, “The Slammer worm occurred in 2003. In the seven years that have passed since then, we have observed a dramatic improvement in the capabilities of companies to quickly deploy security updates to their systems.”

Dhupar pointed out, “Lack of trained security personnel, lack of awareness and failure to deploy security solutions that automate routine tasks such as patch management leave enterprise software wide open to exploits.”

Kathuria said, “The software industry produces patches or hot fixes for plugging these vulnerabilities and end users need to download these patches and hot fixes to be relatively safe in the cyber world. However, users of pirated, unlicensed software would suffer from a big disadvantage of lack of access to patches and hot fixes being made available to them and this could make them constantly vulnerable to cyber attacks and they could possibly become a part of a botnet unknowingly. Another reason could be sheer laziness on part of the user to apply patches or subscribe to automatic updates.”

The data stored on servers, especially in databases is the main business enabler for many companies. To apply the relevant patches, servers and databases have to be taken offline and since the business depends on the availability of these servers it is often cheaper to postpone patching the application even if the administrators know that the patch has to be applied as soon as possible.

Halde pointed out, “Some other reasons may be a deliberate delay to ensure that the newly published patches will not cause server instability, which could make the whole patching process even more expensive. Big companies often apply patches in several stages so sometimes servers will not be scheduled for patching before the actual attack happens.”

Exploitation attempts

Popular and widely deployed software applications tend to be an attractive target for attackers because their ubiquity and cross-platform reach allows attackers to use exploits against the largest possible user base.

The most recent and high-profile attack was a zero-day memory-corruption exploit for Microsoft Internet Explorer used as an attack vector to deliver a malicious payload, known by the name of Trojan.Hydraq. This Trojan hit headlines recently when it brought down the critical infrastructure of several large corporations. The attackers behind this operation targeted various organizations and sent messages using the spear phishing technique, which makes e-mail messages look like they come from a trusted source, thereby increasing the chance of victims following links or opening attachments.

Surprisingly, Trojan.Hydraq is not new. In July 2009, Symantec observed that a PDF was used to exploit the Adobe Acrobat Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an early version of the current malware.

Dhupar said, “Though an important aspect of information security is the prevention and investigation of targeted attacks that exploit zero-day or unpatched vulnerabilities to initially compromise systems in an organization, post-exploitation activities and subsequent attacks against the internal network accessible from a compromised machine should not be overlooked.”

In addition to traditional attacks against Windows passwords, attackers also leverage unpatched or zero-day vulnerabilities affecting computers on an internal network. In February 2010, as part of the scheduled Microsoft updates, an interesting vulnerability (CVE-2010-0231) surfaced. The vulnerability can be used to perform replay attacks against the Windows NTLMv1 (NT LAN Manager) authentication protocol to gain access to the Server Message Block (SMB) service on the target system. SMB is often enabled in organizational environments as a part of Windows File and Printer Sharing service; therefore, this vulnerability is an ideal choice for leveraging attacks against other network resources once one computer in the network is compromised.

Attackers typically exploit flaws to gain access to a computer on an organizational network, then attempt to escalate privileges or attack other systems in the targeted network to gain access to further, possibly more lucrative, resources. Attacks against the internal network may involve gaining access to Windows password databases on the local system and Active Directory servers, using local administrator credentials to gain elevated privileges on the network, using password sniffers to obtain password hashes from the network, attacking domain controllers and much more.

Kathuria said, “As mentioned in the Microsoft SIRv6, increasingly, attackers are using common file formats as transmission vectors for exploits. Most modern e-mail and instant messaging programs are configured to block the transmission of potentially dangerous files by extension. However, these programs typically permit the transmission of popular file formats such as Microsoft Office and Adobe Portable Document Format (.pdf). These formats are used legitimately by many people every day, so blocking them has been avoided. This has made them an attractive target for the creators of exploits.”

Halde added, “All client side applications used for network communication including Web browsers, media players and various file format renderers/readers and popular social networks like Facebook and Twitter are prime targets for attackers. The more popular the software, the more appealing it is to attackers. Web browsers are the most common targets and Adobe products like Adobe Reader and Adobe Flash have been particularly targeted in the last few months too.”

Slower patching of applications

Today, the industry has moved to the automation of routine security tasks such as patch management. This means that IT staff can focus on other important tasks and let the software do the heavy lifting. Most of the responsible vendors patch their applications as soon as possible as this is an important user requirement.

Acrobat Reader is one such popular application that's installed on most PCs but, it is believed, seldom gets patched as it should. Adobe contests that this assessment is incorrect. Mehrotra said Adobe has made great strides over the last year with focused security initiatives, greatly improved response times, and increased communication to customers and stakeholders. In addition to implementing a quarterly security patch schedule for Adobe Reader and Acrobat aligned with Microsoft’s Patch Tuesday, Adobe has significantly improved incident response processes for urgent situations such as zero-days.

Mehrotra added, “Since the JBIG2 issue in early 2009, Adobe has responded to four zero-day vulnerabilities in Adobe Reader and Acrobat. Adobe turned around a fix for three of those issues for all supported versions of Adobe Reader/Acrobat on all platforms within two weeks. One of these issues affected both Adobe Reader and Adobe Flash Player, so more coordination was required, but we were still able to get an update out within two weeks. The fourth zero-day vulnerability was discovered on December 14, 2009 and fixed as part of the quarterly security update for Adobe Reader/Acrobat on January 12, 2010.”

To ensure that security, privacy and reliability are built in, products requires a combination of critical investments and focused efforts over a long period of time. Organizations should be ready for these investments.

Kathuria stated, “The Microsoft Malware Protection Center provides global response with a focus on customers though customer guidance such as top threat telemetry, daily telemetry, signature download location and also provides broad insight through tools and reports such as Microsoft Malicious Software Removal Tool, Windows Defender, Anti-Malware Technology, and the half yearly Security Intelligence Report. It has active collaborations with various CERTs, law enforcement agencies and various antimalware industry collaborations.”

The Microsoft Security Response Center is involved 24x7 in monitoring and managing vulnerabilities in the company’s software and responding to incidents and managing the update release process.

The Microsoft Security Engineering Centre has been set up for protecting its customers by delivering products and services that are inherently secure.

Sriram S, CEO, iValue InfoSolutions, said, “Application security during design and development is the way to go to address this challenge. Developers need to be trained on various security challenges and incorporate security at every stage of application development, testing and rollout. Periodic vulnerability tests along with an application firewall will help maximize application availability and minimize downtime due to attacks.”

Halde pointed out, “If you do not take application security seriously your users will simply switch to another application. Microsoft’s security push and the activities of computer security companies like Sophos have contributed to improving the user awareness of security issues and we can expect this trend to continue.”

One of the major factors behind ineffective patching could be the constant threat from cyber criminals as they keep discovering new vulnerabilities to exploit. However, reputable application vendors regularly issue patches as and when vulnerabilities are discovered.

As Dhupar puts it, “Vulnerabilities and exploits are a constant cat-and-mouse game between cyber criminals and vendors.”

subhankar.kundu@expressindia.com