For years, we’ve heard the ire of security professionals worldwide over the vulnerabilities of the Microsoft Operating Systems. Many touted Linux or even Macintosh as the answer. Unfortunately, there is scant support for these operating systems in the way of desktop applications in particular. This kept many businesses from making such a move.
The answer from a security perspective was to keep the OS religiously patched, and run bloated up-to-date desktop anti-virus programs. However, the one thing that is often overlooked in this approach is 3rd party applications.
I, for one, install at least the following applications without fail on every new desktop I build or rebuild:
- Adobe Reader
- Adobe Shockwave
- Adobe Flash Player
- Jave Runtime Environment
- Microsoft Media Player
- Quicktime Player
I’m sure there are many other IT professionals that do the same. Unfortunately, these often get overlooked when it comes to patching. There is no simple “Automatic Updates Service” that can be enabled for many of these like there is in MS Windows.
What many don’t realize is that new vulnerabilities are discovered in these applications just as frequently (if not more so) as there are in Windows. In many cases, these vulnerabilities can be exploited far easier than many Windows updates. In addition, many are more dangerous in that they are usually targeted to specific businesses. Imagine an exploit that a criminal could run by spamming a corporation with a PDF attachment. This PDF attachment would then execute custom code that could then install backdoor applications for a hacker to use. Trade secrets or private information? Not anymore….
Next, there are the inappropriately patched systems. For example, how many people realize that simply upgrading the Java Runtime Environment does not necessarily close the holes the old version created? Did you know that you have to actually manually uninstall the old versions of Java? By default Java’s installer does not do this thereby leaving the exploitable code on your system.
This is why patch management systems are so crucial for companies. I’m sure when you lock the doors at night, you also close the shipping doors, the windows, and any other points of entry. Likewise, you should be closing the points of entry into your data infrastructures as well. If you can’t close them, for one reason or another, you should at least be aware of these points of entry and make efforts to minimize the risk your exposing your business to.