It's the applications, stupid

It's always written that the first Presidential candidate Clinton posted, "It's the economy, stupid!" as a banner marquee in his campaign office during his premiere run. This saying supposedly helped focus the staff, resulting in a surprise win for the Democrats.

Well, if you're reading computer security headlines these days, we should all have "It's the client applications, stupid!" in our war rooms. Nothing I'm saying in this blog post is news. I just want to reiterate it so that everyone is on the same page.

Most of today's popular operating systems are becoming fairly hardened at the OS and OSI layers 1 to 3. Remote attacks, where the end-user is not involved at all, are becoming almost a rarity. They are not gone completely, but they are becoming far less prevalent than attacks involving their end-user and installed client applications.

This was reinforced at the CanSecWest conference, which had a hacking contest pitting fully patched versions of Windows versus Mac OS X and Ubuntu Linux. The first day's competition offered a US$20,000 prize for remote exploit hacking. No one claimed the prize, and that's a good thing. There may be remote exploits that would work -- there's bound to be in the larger world of crimeware -- but most contestants waited until day two, when hacking on the box was allowed. Day two required that the hacking be conducted using only default installed software. The Mac was felled in two minutes using a Safari exploit by professional white hat hacker Charlie Miller to gain a US$10,000 prize. I've interviewed Charlie Miller before, and his knowledge of Mac hacking is solid.

The other two computers didn't fall that day.

Day three, with a US$5,000 prize, allowed "common" applications to be installed and hacked locally. On day two, several unsuccessful hackers said aloud that they couldn't wait until day three and for Flash to be installed. Sure enough, the Windows Vista machine was felled by a vulnerability in the Flash software. Apparently the default defenses of Vista's SP1 kept the hackers at bay for several hours, but they were eventually able to circumvent the protections using another third-party application installed on day three, Sun Java.

To be honest, the hacking contest results alone don't really mean much. There's nothing to say that Vista or Ubuntu couldn't have been hacked just as fast on day two (other than they weren't). Charlie Miller obviously had the Safari zero-day in his back pocket and pulled it out to win some money. The winner of day three said the Flash vulnerability could have been equally successful on either of the other two platforms.

So Windows, Mac, and Linux zealots don't really have any more ammunition to attack each other after the contest than they had before. And the positive note was that none of the computers were felled by remote exploits, which, when they exist, can be devastating. That's good for everyone, no matter which platform you are partial to. And the contest did reinforce the idea that client-side applications are the biggest threat. If it isn't something purely browser related, it's a media player, content reviewer, productivity application, or browser plug-in. Most, but not all, require the end-user to click on a link, download content, or execute a file.

If your applications are unpatched, it is much more likely that simply visiting a Web site can silently infect your computer. And remember, visiting only well-known, legitimate Web sites is no longer a defense.

The bad guys (and girls) are using mostly legitimate, well-known Web sites to spread their malware. If you can think of the Web site's name that you visit frequently -- and I mean any Web site -- there is a high likelihood that it was, at least once, infected by malware that spread to visiting users. Even anti-malware vendor Web sites are falling like hot potatoes. Many of the Web sites unknowingly carried malicious advertisements in their banner ads. Others are hacked using Web site vulnerabilities, PHP issues, SQL injection, and so on.

The defenses are to make sure your systems are fully patched, both OS and applications, and to educate your end-users about client-side vulnerabilities:

1. Client-side vulnerabilities are one of the biggest threats they face 2. They can no longer automatically trusted legitimate, well-known Web sites 3. Pictures, video, and active content (such as Flash) can be used to take over their PCs 4. Do not install unapproved client applications

Day after day, I read about how some large store, bank, or government site was taken over by a client-side-initiated attack. Many system administrators are struggling with improving their security. Let this column be your banner.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

InfoWorld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?