Bit9’s findings that unauthorized applications present a bigger threat to organizations than malware (malicious software) must be clarified so as not to confuse the already complicated topic of cyber security. First, unauthorized applications themselves are not malicious. Rather, an unauthorized application installed on an organization’s computer without the IT department’s knowledge creates a framework for insecurity.
When a user downloads and installs an application onto his/her desktop without the IT department’s permission or knowledge, it is more than likely that the user will not routinely upgrade or patch that application. It is these unpatched applications that open the door to the threat of malware.
An unpatched application creates a vector for attack. For example, according to Bit9’s report, Firefox 1.0.7 presented the number one threat to an organization’s cyber security posture. Notably, the most recent version of Firefox, version 1.5, is not considered to be a threat by Bit9. However, the earlier unpatched version of Firefox contains, “multiple vulnerabilities including memory corruption, buffer overflows, errors in garbage collection, and running of arbitrary HTML and Javascript code that in many cases allow the execution of arbitrary code,” according to the Bit9 report. It is these vulnerabilities that allow a malicious actor to attack. In other words, these unpatched applications provide malware an easy entry into a target of attack.
With this clarification understood, the list of vulnerable applications compiled by Bit9 offers a compelling view into the cyber crime underworld. All of the 13 applications listed are popular applications with very large install bases. In reference to the list of vulnerable applications compiled by Bit9, Dr. Todd Brennan, co-founder and CTO at Bit9, stated, “these popular software applications are frequently downloaded to corporate desktops and can present serious risks for enterprise computing environments.” Cyber criminals do not choose these applications because they are more vulnerable than other less known ones; rather, these applications are attacked precisely because they are so widely known and used. An application with a large install base offers cyber criminals a greater return on investment. Criminals can develop one exploit cheaply that can be reused in an attempt to infect and commandeer as many computers as possible.
As an example, Roger Thompson, a security researcher for Exploit Prevention Labs, said cyber criminals increasingly are targeting unpatched versions of the popular Firefox browsers. Thompson discovered a malware developer’s toolkit that targeted vulnerable Firefox browsers being sold on Russian hacking web sites for about $300. The commercialization of this attack code illustrates that cyber criminals recognize the market opportunity available to malware that can infect computers effectively.
A simple remedy to the problem of unauthorized application downloading is for organizations to conduct routine hardware and software inventory checks. These inventory checks will help IT departments establish a baseline configuration that can then be controled with an aggressive patch management system. A routine and aggressive patch management system will aid in plugging the gaps in an organization’s security posture that malware would otherwise be able slip through and wreak damage.