A dangerous combination of a massive increase in web server attacks and poor patching practices is a major cause of concern for experts, according to a report issued today by several security organisations.
In a groundbreaking study that matched attack trends with patching cycle data, some conclusions came as a shock, said Rohit Dhamankar, the director of security research at 3Com TippingPoint. TippingPoint contributed real-world attack information, acquired from its intrusion detection systems, to the report.
"The sheer number of attacks against web servers was surprising," said Dhamankar. "In terms of attack volume, they were almost 60 percent of all so far this year. Hackers are after a foothold in the corporate network, to conduct client-side attacks against visitors of the site, but also once they have that foothold, to gain much higher privileges and use those to also steal data."
Dhamankar pointed to the recent spread of malware from the New York Times Web site as a perfect example of the alarming increase in server attacks. Over the weekend, hackers duped the newspaper into using a malicious ad, which in turn tricked users into downloading and installing fake anti-virus software. "The New York Times is a respected brand, and so it's a perfect avenue to infect lots and lots of users," he noted.
Some servers, once compromised, are even attacking other servers to pillage back-end information and to host malware fed to unsuspecting users, said Dhamankar.
The report, which can be read on the SANS Institute's website, correlated the high number of Web server attacks with another trend: poor patching practices by the Web's highest-profile third-party applications.
"Applications that are widely installed are not being patched at the same speed as the operating system," said Wolfgang Kandek, the chief technology officer of Qualys, which contributed its patching data to the study. "For Adobe Reader, Adobe Flash, Sun Java, Microsoft Office, Apple QuickTime, the patch cycles are much much slower than for operating systems," he added.
That's a major problem.
"From our point of view, this is a big deal", said Kandek, speaking for security professionals in general. "There are real-life examples, where you can see attackers attacking corporate web servers, then from there infecting client machines, until eventually a client machine is compromised that has full access to the network. Then [attackers] are stealing that corporation's data."
"Attackers have realised that patching of these third-party apps is complex," added Dhamankar. "They know that a lot of people are focused on patching operating systems rather than patching applications like Flash or Reader." And thus they dig into the most widely-installed applications, looking for flaws.
The combination of hacked servers and unpatched client applications is critical. "The lack of patching opens up a huge window of vulnerabilities," Kandek acknowledged. "It shows that patching is crucial."
Adding salt to the wound, said Dhamankar and Kandek, is that while users are patching, they're patching the wrong software. While operating systems, particularly Windows, are patched by users and organisations at a relatively rapid clip, the number of attacks exploiting OSes has dropped precipitously.
"Enterprises are focused on OS patching rather than on application patching," said Dhamankar. "They don't have their resources allocated properly."
Putting a stop to the threat trend won't be easy, but it is possible, argued Kandek.
"Some enterprises have patching policies in place for third-party applications, and there are industry-standard tools to do this," he said. "The technical solutions are out there. [Third-party] patching could be much better, and I see vendors being pressured to do more to integrate their patching into these tools.
"But we've done this before," Kandek continued, referring to the security situation several years ago, when Windows was the main target of attackers. Microsoft beefed up its OS, Windows XP, dedicated itself to writing more secure code and pushed customers to update religiously.
"That means we can do something about this, too," Kandek concluded.