It's the applications, stupid

It's always written that the first Presidential candidate Clinton posted, "It's the economy, stupid!" as a banner marquee in his campaign office during his premiere run. This saying supposedly helped focus the staff, resulting in a surprise win for the Democrats.

Well, if you're reading computer security headlines these days, we should all have "It's the client applications, stupid!" in our war rooms. Nothing I'm saying in this blog post is news. I just want to reiterate it so that everyone is on the same page.

Most of today's popular operating systems are becoming fairly hardened at the OS and OSI layers 1 to 3. Remote attacks, where the end-user is not involved at all, are becoming almost a rarity. They are not gone completely, but they are becoming far less prevalent than attacks involving their end-user and installed client applications.

This was reinforced at the CanSecWest conference, which had a hacking contest pitting fully patched versions of Windows versus Mac OS X and Ubuntu Linux. The first day's competition offered a US$20,000 prize for remote exploit hacking. No one claimed the prize, and that's a good thing. There may be remote exploits that would work -- there's bound to be in the larger world of crimeware -- but most contestants waited until day two, when hacking on the box was allowed. Day two required that the hacking be conducted using only default installed software. The Mac was felled in two minutes using a Safari exploit by professional white hat hacker Charlie Miller to gain a US$10,000 prize. I've interviewed Charlie Miller before, and his knowledge of Mac hacking is solid.

The other two computers didn't fall that day.

Day three, with a US$5,000 prize, allowed "common" applications to be installed and hacked locally. On day two, several unsuccessful hackers said aloud that they couldn't wait until day three and for Flash to be installed. Sure enough, the Windows Vista machine was felled by a vulnerability in the Flash software. Apparently the default defenses of Vista's SP1 kept the hackers at bay for several hours, but they were eventually able to circumvent the protections using another third-party application installed on day three, Sun Java.

To be honest, the hacking contest results alone don't really mean much. There's nothing to say that Vista or Ubuntu couldn't have been hacked just as fast on day two (other than they weren't). Charlie Miller obviously had the Safari zero-day in his back pocket and pulled it out to win some money. The winner of day three said the Flash vulnerability could have been equally successful on either of the other two platforms.

So Windows, Mac, and Linux zealots don't really have any more ammunition to attack each other after the contest than they had before. And the positive note was that none of the computers were felled by remote exploits, which, when they exist, can be devastating. That's good for everyone, no matter which platform you are partial to. And the contest did reinforce the idea that client-side applications are the biggest threat. If it isn't something purely browser related, it's a media player, content reviewer, productivity application, or browser plug-in. Most, but not all, require the end-user to click on a link, download content, or execute a file.

If your applications are unpatched, it is much more likely that simply visiting a Web site can silently infect your computer. And remember, visiting only well-known, legitimate Web sites is no longer a defense.

The bad guys (and girls) are using mostly legitimate, well-known Web sites to spread their malware. If you can think of the Web site's name that you visit frequently -- and I mean any Web site -- there is a high likelihood that it was, at least once, infected by malware that spread to visiting users. Even anti-malware vendor Web sites are falling like hot potatoes. Many of the Web sites unknowingly carried malicious advertisements in their banner ads. Others are hacked using Web site vulnerabilities, PHP issues, SQL injection, and so on.

The defenses are to make sure your systems are fully patched, both OS and applications, and to educate your end-users about client-side vulnerabilities:

1. Client-side vulnerabilities are one of the biggest threats they face 2. They can no longer automatically trusted legitimate, well-known Web sites 3. Pictures, video, and active content (such as Flash) can be used to take over their PCs 4. Do not install unapproved client applications

Day after day, I read about how some large store, bank, or government site was taken over by a client-side-initiated attack. Many system administrators are struggling with improving their security. Let this column be your banner.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?