Web server attacks, poor app patching make for lethal mix

Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats

A dangerous combination of a massive increase in Web server attacks and poor patching practices is a major cause of concern for experts, according to a report issued today by several security organizations.

In a groundbreaking study that matched attack trends with patching cycle data, some conclusions came as a shock, said Rohit Dhamankar, the director of security research at 3Com TippingPoint, which contributed real-world attack information -- acquired from its intrusion detection systems -- to the report.

"The sheer number of attacks against Web servers was surprising," said Dhamankar. "In terms of attack volume, they were almost 60 per cent of all so far this year. Hackers are after a foothold in the corporate network, to conduct client-side attacks against visitors of the site, but also once they have that foothold, to gain much higher privileges and use those to also steal data."

Dhamankar pointed to the recent spread of malware from the New York Times Web site as a perfect example of the alarming increase in server attacks. Over the weekend, hackers duped the newspaper into using a malicious ad, which in turn tricked users into downloading and installing fake antivirus software . "The New York Times is a respected brand, and so it's a perfect avenue to infect lots and lots of users," he noted.

Some servers, once compromised, are even attacking other servers to pillage back-end information and to host malware fed to unsuspecting users, said Dhamankar.

The report -- which can be read on the SANS Institute's Web site -- correlated the high number of Web server attacks with another trend: poor patching practices by the Web's highest-profile third-party applications.

"Applications that are widely installed are not being patched at the same speed as the operating system," said Wolfgang Kandek, the chief technology officer of Qualys, which contributed its patching data to the study. "For Adobe Reader, Adobe Flash, Sun Java, Microsoft Office, Apple QuickTime, the patch cycles are much much slower than for operating system," he added.

That's a major problem.

"From our point of view, this is a big deal, said Kandek, speaking for security professionals in general. "There are real-life examples, where you can see attackers attacking corporate Web servers, then from there infecting client machines, until eventually a client machine is compromised that has full access to the network. Then [attackers] are stealing that corporation's data." "Attackers have realized that patching of these third-party apps is complex," added Dhamankar. "They know that a lot of people are focused on patching operating systems rather than patching applications like Flash or Reader." And thus they dig into the most widely-installed applications, looking for flaws.

The combination of hacked servers and unpatched client applications is critical. "The lack of patching opens up a huge window of vulnerabilities," Kandek acknowledged. "It shows that patching is crucial."

Adding salt to the wound, said Dhamankar and Kandek, is that while users are patching, they're patching the wrong software. While operating systems, particularly Windows, are patched by users and organizations at a relatively rapid -- and complete -- clip, the number of attacks exploiting OSes has dropped precipitously.

"Enterprises are focused on OS patching rather than on application patching," said Dhamankar. "They don't have their resources allocated properly."

Putting a stop to the threat trend won't be easy, but it is possible, argued Kandek.

"Some enterprises have patching policies in place for third-party applications, and there are industry-standard tools to do this," he said. "The technical solutions are out there. [Third-party] patching could be much better, and I see vendors being pressured to do more to integrate their patching into these tools.

"But we've done this before," Kandek continued, referring to the security situation several years ago, when Windows was the main target of attackers. Microsoft beefed up its then-OS, Windows XP, dedicated itself to writing more secure code and pushed customers to update religiously.

"That means we can do something about this, too," Kandek concluded.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags 3ComtippingpointWeb serversphishing

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?