Security firm CSIS recently asserted that just five products – Java, Adobe Reader/Acrobat, Adobe Flash, Internet Explorer and QuickTime – are responsible for 99% of all malware infections. Do you agree, and if so, can we save ourselves a lot of time and trouble and just ban Internet Explorer and those other dangerous applications from our endpoints?
The CSIS application security study mentioned in the question was conducted over a period of almost three months using data collected in real time. The purpose of the study was to understand how Microsoft Windows machines are infected by viruses and malware. CSIS found that Java, Adobe Reader/Acrobat, Adobe Flash, Internet Explorer and QuickTime were the applications most frequently used by hackers as an attack vector against users running a Windows operating system. CSIS also concluded that up to 85% of all virus and malware infections occur via drive-by automated attacks by commercial exploit kits, and that 99% of successful infections are a direct result of these five programs not being patched on a timely basis. The study covers both home PCs and machines used for business purposes, which clearly displays a wide-ranging issue.
An earlier report by vulnerability intelligence firm Secunia also provides an interesting insight into what makes PCs vulnerable. The well-known vulnerability clearinghouse reported that non-Microsoft programs are responsible for 69% of the vulnerabilities on a typical machine. Its numbers indicate that 55% of users have more than 66 programs from more than 22 vendors installed on their machines. Of the top 50 most common software programs, Microsoft developed 26 and the remaining 24 are by 14 other vendors. This means that Microsoft’s update service covers 31% of the vulnerabilities found in Windows and other Microsoft products, but a user has to run another 13 different update procedures to patch the remaining 69% of vulnerabilities found in the other products.
Secunia suggested that organizations can realize an 80% reduction in risk by patching the 12 most critical programs, or as suggested by the question, they could ban the top five programs from their endpoints. The practicality of this option depends on the type of organization and how important security is. An organization needs to assess how the productivity of its users would be affected if these five programs were blacklisted. How easy would it be for users to share information with clients and customers if they could no longer use these popular programs to open and create PDF files or browse the Internet? If banning these products would be met with too much user resistance, an organization needs to ensure it has a robust patching policy in place and network access controls to prevent users whose software is not updated from joining the network.
Until patching update mechanisms become more seamless and user friendly, an organization should also run antivirus software on its endpoints. While a patch provides better protection than antivirus, as it eliminates the root cause, antivirus products can prevent users from initially reaching malicious sites and can often provide some protection until a patch is ready and installed.
This was first published in January 2012