Right now everybody talks about the IE 0-day. But is the MS IE 0-day the real threat to corporate networks?

No, it is not. The real threat is represented by all the unpatched third party programs which is installed on every single PC, or as Gartner says:

Deployment of non-Microsoft patches is often significantly slower and less organized. All Internet-based applications, especially browsers and browser plug-ins (i.e.,Adobe and Apple QuickTime), should be a top patching priority.

Gartner, "Top10 Steps to avoid Malware infections", September 2009

Even Adobe concur:

"We know that getting people updated and keeping them updated is the number-one thing we can do in terms of keeping them protected against attacks"

Brad Arkin, Director of product security and privacy at Adobe, January 12 2010

Within the next 4 weeks we will most likely see an update for IE from Microsoft - within 1 to 2 weeks most users and business will have applied the update and that will be the end of that vulnerability.

For all the other non-Microsoft programs this is not so simple, and most companies are actually running versions that should have been patched months or even years ago.

The reason they continue to run outdated and insecure versions is most likely that Patch Management is a complicated task- not only is it complicated to track all the programs that need updating, but repackaging the updates and distributing them is even more complicated!

This is finally going to change with the new Secunia CSI with Microsoft WSUS integration.

If you wish to get a free trial of the CSI v5.0 with Patch management request a trial here.

Scan Now

Priority One : Client-side software that remains unpatched.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites.

Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software. The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation.

On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk.

Priority Two: Internet-facing web sites that are vulnerable.

Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.