It's the applications, stupid

It's always written that the first Presidential candidate Clinton posted, "It's the economy, stupid!" as a banner marquee in his campaign office during his premiere run. This saying supposedly helped focus the staff, resulting in a surprise win for the Democrats.

Well, if you're reading computer security headlines these days, we should all have "It's the client applications, stupid!" in our war rooms. Nothing I'm saying in this blog post is news. I just want to reiterate it so that everyone is on the same page.

Most of today's popular operating systems are becoming fairly hardened at the OS and OSI layers 1 to 3. Remote attacks, where the end-user is not involved at all, are becoming almost a rarity. They are not gone completely, but they are becoming far less prevalent than attacks involving their end-user and installed client applications.

This was reinforced at the CanSecWest conference, which had a hacking contest pitting fully patched versions of Windows versus Mac OS X and Ubuntu Linux. The first day's competition offered a US$20,000 prize for remote exploit hacking. No one claimed the prize, and that's a good thing. There may be remote exploits that would work -- there's bound to be in the larger world of crimeware -- but most contestants waited until day two, when hacking on the box was allowed. Day two required that the hacking be conducted using only default installed software. The Mac was felled in two minutes using a Safari exploit by professional white hat hacker Charlie Miller to gain a US$10,000 prize. I've interviewed Charlie Miller before, and his knowledge of Mac hacking is solid.

The other two computers didn't fall that day.

Day three, with a US$5,000 prize, allowed "common" applications to be installed and hacked locally. On day two, several unsuccessful hackers said aloud that they couldn't wait until day three and for Flash to be installed. Sure enough, the Windows Vista machine was felled by a vulnerability in the Flash software. Apparently the default defenses of Vista's SP1 kept the hackers at bay for several hours, but they were eventually able to circumvent the protections using another third-party application installed on day three, Sun Java.

To be honest, the hacking contest results alone don't really mean much. There's nothing to say that Vista or Ubuntu couldn't have been hacked just as fast on day two (other than they weren't). Charlie Miller obviously had the Safari zero-day in his back pocket and pulled it out to win some money. The winner of day three said the Flash vulnerability could have been equally successful on either of the other two platforms.

So Windows, Mac, and Linux zealots don't really have any more ammunition to attack each other after the contest than they had before. And the positive note was that none of the computers were felled by remote exploits, which, when they exist, can be devastating. That's good for everyone, no matter which platform you are partial to. And the contest did reinforce the idea that client-side applications are the biggest threat. If it isn't something purely browser related, it's a media player, content reviewer, productivity application, or browser plug-in. Most, but not all, require the end-user to click on a link, download content, or execute a file.

If your applications are unpatched, it is much more likely that simply visiting a Web site can silently infect your computer. And remember, visiting only well-known, legitimate Web sites is no longer a defense.

The bad guys (and girls) are using mostly legitimate, well-known Web sites to spread their malware. If you can think of the Web site's name that you visit frequently -- and I mean any Web site -- there is a high likelihood that it was, at least once, infected by malware that spread to visiting users. Even anti-malware vendor Web sites are falling like hot potatoes. Many of the Web sites unknowingly carried malicious advertisements in their banner ads. Others are hacked using Web site vulnerabilities, PHP issues, SQL injection, and so on.

The defenses are to make sure your systems are fully patched, both OS and applications, and to educate your end-users about client-side vulnerabilities:

1. Client-side vulnerabilities are one of the biggest threats they face 2. They can no longer automatically trusted legitimate, well-known Web sites 3. Pictures, video, and active content (such as Flash) can be used to take over their PCs 4. Do not install unapproved client applications

Day after day, I read about how some large store, bank, or government site was taken over by a client-side-initiated attack. Many system administrators are struggling with improving their security. Let this column be your banner.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Roger A. Grimes

Roger A. Grimes

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?