2014 was a big year for security breaches. Sony, Target, Home Depot, and even Goodwill were severely compromised, leaking an unknown amount of customer information and critical corporate data, some of which being exploited using weak passwords, unpatched Windows systems, and outdated third-party applications.
There are great tools available for managing Windows Update across a wide organization and we’re proud to provide those services to our customers. Recently, though, Windows has begun representing a lower risk of vulnerability across the enterprise due to the rise in third-party application vulnerabilities, which is what we’re going to discuss today.
What, exactly do I mean by Third-Party Applications?
Pretty much anything not made or supported by Microsoft is considered a Third-Party Application. Microsoft does not support these applications and it’s up to each individual vendor to provide the updates through whatever update mechanism they have in place. Most do not update automatically, require some kind of user interaction to change settings, and have horrendously irregular update schedules – making it nearly impossible to ensure even a small number of servers, workstations, and laptops are all fully up to date.
OK, so what kind of applications are we talking about here?
You probably already know – it’s the annoying ones that everyone has installed and everybody hates seeing the update window for. Just click “remind me later” and go on about your day, right? There’s a long list of applications that get ignored in even the most diligent organizations.
- Adobe Flash Player
- Adobe Reader
- Mozilla Firefox
- WinRAR and WinZIP
- Device drivers and software
- Printer drivers and the oh-so-hated bloatware they come with
Let’s just talk about Java in particular for a moment. Oh Java… Java Java Java. Sounds so harmless – just a delicious cup of coffee to start your day. Nothing bad can happen. Until it proverbially sets the network on fire and eggs your house.
During install, Java brags about being installed on over 3 billion – billion – devices around the world. Java is a platform-independent application framework, which means it allows developers to write applications once and run it on any system with Java installed. Sounds great, right? Sure, but being so ubiquitous means it’s one of the biggest targets out there. Just last year, Trusteer, an IBM company, released a report that half – half – of all exploits it examined were targeted at Java. Professionally speaking, that’s insane! You know what’s worse? It’s probably on your network. Right now.
I digress. The point here is that your network isn’t made safe by just running protecting it with a firewall and running Windows Update on a regular basis. Ensuring a process is in place to manage third-party application patching throughout the organization, whether computers are on-site or off, is absolutely critical to its security. Modern attack vectors are becoming less about breaking in and more about tricking users to let them in by running malicious software from the web or from phishing attacks and taking advantage of unpatched software already on the computer.
Through our experience providing Vulnerability Assessments for large organizations, we would certainly rate third-party application patching as the most critical security concern, as the largest number of “High” and “Critical” security vulnerabilities are consistently related to outdated applications. Our last scan was for a company with just over 1,000 computers and servers and the #1 risk was Java – over 1,200 vulnerabilities throughout the organization that could all be remediated quickly and easily with a managed patching procedure.
Which is why we offer that service – fully managed third-party application patching – to each of our customers. We support patching for all of the applications listed above and are constantly adding new software to the list. Any patches updated by their vendors that are rated as “high” or “critical” updates are approved for install automatically and applied during a schedule that each customer can customize based on their specific needs. The best part is that it’s incredibly cheap. We try to push it as much as possible because it’s so important, but it really is a no-brainer, regardless of what platform or provider you go with.
Combined with a managed Windows patching process, the vulnerability footprint of any organization can be drastically reduced. Get in touch today to learn more about how we can help manage the patching process for your organization, both for Windows and for vulnerable third-party applications.