Which are the software world’s most attacked applications?
All applications are attacked to some extent but as time has gone on a favourite list has started to emerge based on two fundamental weaknesses: how widely used that application happens to be and how many software vulnerabilities, known and unknown, have been uncovered in it.
The more popular an app, the larger the number of potential targets, and the more incentive there is to research its vulnerabilities, especially ‘zero day’ ones nobody knows about. That’s a good start for criminals, but it gets better. The more popular an app, the better the chances of finding a user who can be socially-engineered into clicking on an exploit hyperlink or running a malicious file attachment.
If a particular app has been popular for a long enough there is also a good chance that many users won’t have patched themselves against even known vulnerabilities. Multiply all of this by the number of popular apps on a user’s PC, and the scale of software-derived vulnerability starts to become apparent.
The PC is the target
Some years ago, operating systems such as XP and server-side apps were popular objects of attack, but that has switched much more towards attacking PC applications. These have the added benefit that they are used by both consumers and business users alike, and get around having to target attacks against better-defended and more frequently patched business systems.
In this piece we look at targeted apps that run in or from the Windows desktop environment. That’s another point worth making. Exploits overwhelmingly target Windows. This is not the same as saying that Windows and Windows apps have more vulnerabilities at code level per se, merely that their vast popularity makes them lower-hanging fruit for attackers.
What follows below is a list in no particular order, based on indications from a range of sources including the US national vulnerability database. It is important to bear in mind that the frequency of attacks does not necessarily reflect their seriousness. But it is a reminder that every single one of these should be patched as regularly as possible, especially if they are running on laptops that flit between home office and a desk sitting behind the apparent security of the company firewall.
We draw no distinction between standalone apps and web apps, partly because they have blurred over time anyway and partly because users don’t see the distinction. A software attack is a software attack.
Deciding on attack frequency is hard to assess so we’ve plumped for ‘attack surface’, which is to say the number of vulnerabilities reported. Some of these cover old versions, a complicating factor as not everyone will be using old versions.
Adobe Acrobat Reader
There is plenty of evidence that the big daddy of attacked (as opposed to simply being vulnerable) apps is currently Adobe’s Acrobat PDF Reader. It was invented to be free, a way of spreading the popularity of the ingenious PDF file format, and it has succeeded to the extent that it now ships with many consumer PCs as a standard utility. Crucially, it has been around for a long time, and that expands the range of vulnerabilities in older versions.
Adobe’s rather laid-back approach to patching hasn’t helped Acrobat, and malicious PDFs have grown into a common exploit vector. Adobe has since restructured its whole updating design to be automatic through monthly updates, which should help the app stem the tide over the next year.
Users worried about Acrobat vulnerabilities can view PDFs using one of a number of rival PDF readers, such as the popular and free Nitro reader. Compatibility doesn’t appear to be the issue it once was with non-Adobe PDF readers. Download Nitro here.
Adobe also plans to run a sandbox feature on its Reader app, another security add on designed to deflect attacks.
Adobe Flash Player
A glance at the vulnerability advisories on independent security research companies such as Secunia and Adobe’s Flash Player app plug-in for video also figures prominently for the same reason as Acrobat – longevity and huge popularity across all browsers. Flash has become a web standard, albeit a proprietary one.
Adobe’s Flash player is not loved by everyone, however. See also Air.
Web browsers – all of them
According to the US National Vulnerability Database (NVD), Internet Explorer, Firefox, Chrome and even Apple Safari have all suffered from plenty of high-severity vulnerabilities in the first half of 2010. Luckily, browsers are updated frequently.
People tend to forget just how many vulnerabilities are uncovered in browsers. According to the NVD, between approximately July and September of 2010 IE reported 9 new vulnerabilities of all levels of seriousness, Firefox 33, Chrome 52 and Safari 18. All have improved over time but given that many users run two or even three at a time, the level of app vulnerability in this layer alone is worth paying attention to.
Security company Qualys offers a free Browser check to spot notable vulnerabilities.
Microsoft Office – Word, Excel and PowerPoint
For obvious reasons another big target has been Microsoft’s Office suite, but reported vulnerabilities do appear to be waning compared to previously high levels. There was a time when the company’s main office apps were a constant worry right down to simple malicious macros running inside Word. The difference here has been Microsoft’s regular patching and its software development cycle (SDL).
According to the NSD, Word, Excel and PowerPoint have between them generated 14 vulnerabilities in the last three months, a huge improvement on the past.
Not an app as such but a runtime environment, but it is everywhere on most PCs including being embedded in browsers. In the last three months, it has generated a modest 21 vulnerabilities, but many older versions sit on PCs.
Social engineering attacks - Google search and Web 2.0
Google isn’t an app of course but a search engine but that makes it vulnerable to what are called SEO poisoning attacks where search results are manipulated to send unwary users to malicious websites used to it them with an exploit. This does not just affect Google although it is by some margin the most popular search platform.
SEO poisoning is hugely dynamic and often tries to manipulate trending topics to drive exploit sites and malware to the top of search results. It can appear to happen in real time.
We mention this as a pointer to how exploits for specific software vulnerabilities are increasingly designed to hit people through web intermediaries. Just setting up an exploit for a known for zero day vulnerability is not enough; the criminal needs a way to connect that vulnerability with the target app.
What about Twitter, Facebook and the like?
Clearly, social media are now a new frontier in the battle to engineer people into clicking on links they might not otherwise click on. The reason is that when inside such sites people are assumed to be more suggestible because they take trust for granted.
Social media was recently cited by US SMEs as a source of malware infection (although the actual attack methods were not explored) in one recent survey, Evidence for Twitter and Facebook being used to push malware is sporadic, though spam and nuisance has certainly flowed on occasion.
However, as May’s ‘beach babes’ attack in Facebook demonstrated, distributing malware is still a real threat.