SolarWinds Patch Manager packages and tests 3rd party applications like Adobe, Chrome, Mozilla, iTunes, etc. Lawrence, based on our past experience, which of these 3rd party apps are most vulnerable?
Lawrence: Most of patches in 3rd party application landscape are security related, and most are related to the user browsing content on-line, in real time. Security updates that focus on Flash and browsers should be at the top of the list for patching.
Sadly the majority of infections we have heard about in recent years were for these known vulnerabilities, meaning that a patch was available for Flash, Chrome, etc., but the patch was not deployed to the environment.
The other kind of applications are those used in an off line mode – like downloading a document or video using Adobe Reader or QuickTime. These tend to be less vulnerable. The risk in these situations is end user does something inadvertently.
Has the increased use of content from social sites (videos, files) changed the frequency of threats from these applications?
Lawrence: Video, in terms of AVI and Windows media files, is not risky because it takes a lot of effort to embed viruses. Flash is the most frequently used medium for viewing video on line today. It is not so much the risk from the Flash files, but ways to exploit Flash code through other methodologies.
Security threats for social media are not about direct attacks on players or browsers, but more around the social engineering aspects. For example, fraudulent posts, and bad links that link to websites designed to steal information. It is the users who are not savvy on these sites and they unknowingly are attacked. It’s like the early days of AOL. Everyone thought AOL was the internet – users did not know what they were doing. Same situation we have today with Facebook.
Do customers need to be concerned about Browser/OS vulnerabilities for their mobile device?
Lawrence: Mobile software, iOS, Windows, etc. are as vulnerable as desktop software. I have not seen incidences where mobile devices have been directly attacked. We hear more about security protections on mobile data – password, encryption schemes. Easy to use, consumer oriented security programs, like 4 digit codes to open your phone, are more of a threat and no amount of patching will solve for that.
Patching mobile systems is not so easy. Hard to get updates to Windows phones with the mobile carriers being responsible for that – hard for Microsoft to get phones patched timely. Android gets regularly updated for those people who are savvy enough to get the Android source and install it. Most people don’t – it’s like installing a new version of Windows.
Will we see more patching for phone software?
Lawrence: Not likely until there are more cases of hacks. I am surprised there have not been more attacks on iOS, because of the prevalence of iOS. Is it harder to attack a mobile phone? Maybe, maybe not. Or perhaps it is the sophistication of the hackers – they don’t have the skill set yet to hack mobile. It could also be that most mobile phones are protected via the carrier’s network – 3G/4G and not using wireless.