Be safe, rather than sorry! The continuing challenge of software vulnerability

22nd July 2014
Be safe, rather than sorry! The continuing challenge of software vulnerability

July 21, 2014:  Enterprises  and individuals are increasingly threatened by vulnerabilities  that are discovered in many of their  most used software tools.
Anil Bhasin,  Managing Director India and SAARC,  for cyber security solutions specialists, Palo Alto Networks suggests how one might stay protected and  describes how  security service providers work with software sources like Microsoft, Oracle  and Adobe to  help their customers steer a  safe path.

Microsoft and Adobe have made a priority of working with companies and finding and fixing vulnerabilities through programs like Microsoft Active Protections Program (MAPP)* Unfortunately, there are other widely deployed applications that have vulnerabilities discovered every day that are NOT discussed enough. Every year there are more than 5,000 vulnerabilities discovered and businesses need to focus on knowing the risks of running vulnerable software.
Why does Microsoft keep finding vulnerabilities in its IE platform and how serious are they?
We like to take a different tact on this question, and would rather ask “why do major software vendors all over the globe keep discovering and patching vulnerabilities in their software?” When you ask it this way, you realize it goes far beyond the vulnerabilities that receive media attention such as Microsoft. There will always be bugs, or flaws in software, especially when you are talking about complex applications with millions of lines of code. In most cases they are unintentional, though they can sometimes be planted by malicious insiders or adversaries with access to an organization’s network.
You hear about Microsoft more than others due to how widely used their software is, and the impact it has on this large user base. Not only this, but they are in many ways leading the charge with the Microsoft MAPP program, which many companies participate in, to share the latest information on vulnerabilities to protect customers and the industry as a whole. Make no mistake, these vulnerabilities are serious, and all of the ones Palo Alto Networks has discovered for Internet Explorer receive the highest ranking of “critical” by Microsoft, but we believe that this open and responsible disclosure of vulnerabilities, and the sharing between vendors, is a powerful tool against adversaries.
Is this a concern to businesses and what do the vulnerabilities allow attackers to do/access?
Yes, critical vulnerabilities in the software you use each day represents a huge risk to businesses. Fundamentally, adversaries can exploit these vulnerabilities to gain an initial foothold in a system. This foothold allows advanced attackers to control the system, install malware, and use that as an initial pivot point to move around the network. Typically, stealing intellectual property is their goal, though they can also seek to bring down systems or deface a company’s public presence. From a technical sense, critical vulnerabilities like we have discovered allow “full remote code execution,” meaning, an attacker can execute code of their choice on the system from anywhere in the world.
What are the solutions for fixing/protecting businesses against these vulnerabilities?
Oracle's Java is probably one of the widest deployed and most exploited by web attack toolkits. We should be shifting the conversation to encourage businesses to put pressure on companies to fix vulnerabilities as well as the primary application that may use the vulnerable software and help all business to know if they are at risk. Often I hear that companies HAVE to use old out of date vulnerable software because the vendor that has supplied hasn't gotten around to fixing it. As an example – the only reason why one company we talked with had a vulnerable version of Java installed on every employees computer was due to the vacation request software that required it! This single issue put their entire company at risk of silently being compromised by a web attack toolkit.
There are many ways to protect your organization, but they boil down to a few core concepts:
Keep your applications patched and up-to-date. Vulnerabilities generally only affect certain versions of software, and you greatly reduce your attack surface by applying the patches vendors provide, which close these gaps
Employ basic security protections such as IPS/IDS to prevent exploitation of vulnerabilities at a network level. Choose a vendor who has a record of creating and deploying new signatures quickly, and is part of information sharing programs such as Microsoft MAPP
Use Next-Generation Firewall policy as the central control point for your network, safely enabling only the applications you need to run your business, and blocking all others
Have a solution for discovering unknown threats crossing your network, with the ability to prevent them in-line
Join information sharing groups with your peers, to understand breaking attacks affecting others in your industry.
The Microsoft Active Protections Program (MAPP) is a program for security software providers that gives them early access to vulnerability information so that they can provide updated protections to customers faster.For a few days, we have a video about MAPPO in our Tech Video section on the  home page
Palo Alto Networks researchers discovered 10 new critical Internet Explorer (IE) vulnerabilities covering IE versions 6, 7, 8, 9, 10 and 11.
Each of these discoveries allows full remote code execution using a memory corruption vulnerability in IE. They have been documented in Microsoft Security Bulletin MS14-037 and part of the July 2014 Security Bulletin. Palo Alto Networks researcher Bo Qu is credited with 8 vulnerabilities, and Palo Alto Networks researchers Hui Gao and Royce Lu are each credited with one. In the past six months, Palo Alto Networks has discovered many critical Internet Explorer vulnerabilities, including 22 in June 2014 (revised from 21), four in February 2014, one in December 2013, and three in November 2013.