It's the applications, stupid

It's always written that the first Presidential candidate Clinton posted, "It's the economy, stupid!" as a banner marquee in his campaign office during his premiere run. This saying supposedly helped focus the staff, resulting in a surprise win for the Democrats.

Well, if you're reading computer security headlines these days, we should all have "It's the client applications, stupid!" in our war rooms. Nothing I'm saying in this blog post is news. I just want to reiterate it so that everyone is on the same page.

Most of today's popular operating systems are becoming fairly hardened at the OS and OSI layers 1 to 3. Remote attacks, where the end-user is not involved at all, are becoming almost a rarity. They are not gone completely, but they are becoming far less prevalent than attacks involving their end-user and installed client applications.

This was reinforced at the CanSecWest conference, which had a hacking contest pitting fully patched versions of Windows versus Mac OS X and Ubuntu Linux. The first day's competition offered a US$20,000 prize for remote exploit hacking. No one claimed the prize, and that's a good thing. There may be remote exploits that would work -- there's bound to be in the larger world of crimeware -- but most contestants waited until day two, when hacking on the box was allowed. Day two required that the hacking be conducted using only default installed software. The Mac was felled in two minutes using a Safari exploit by professional white hat hacker Charlie Miller to gain a US$10,000 prize. I've interviewed Charlie Miller before, and his knowledge of Mac hacking is solid.

The other two computers didn't fall that day.

Day three, with a US$5,000 prize, allowed "common" applications to be installed and hacked locally. On day two, several unsuccessful hackers said aloud that they couldn't wait until day three and for Flash to be installed. Sure enough, the Windows Vista machine was felled by a vulnerability in the Flash software. Apparently the default defenses of Vista's SP1 kept the hackers at bay for several hours, but they were eventually able to circumvent the protections using another third-party application installed on day three, Sun Java.

To be honest, the hacking contest results alone don't really mean much. There's nothing to say that Vista or Ubuntu couldn't have been hacked just as fast on day two (other than they weren't). Charlie Miller obviously had the Safari zero-day in his back pocket and pulled it out to win some money. The winner of day three said the Flash vulnerability could have been equally successful on either of the other two platforms.

So Windows, Mac, and Linux zealots don't really have any more ammunition to attack each other after the contest than they had before. And the positive note was that none of the computers were felled by remote exploits, which, when they exist, can be devastating. That's good for everyone, no matter which platform you are partial to. And the contest did reinforce the idea that client-side applications are the biggest threat. If it isn't something purely browser related, it's a media player, content reviewer, productivity application, or browser plug-in. Most, but not all, require the end-user to click on a link, download content, or execute a file.

If your applications are unpatched, it is much more likely that simply visiting a Web site can silently infect your computer. And remember, visiting only well-known, legitimate Web sites is no longer a defense.

The bad guys (and girls) are using mostly legitimate, well-known Web sites to spread their malware. If you can think of the Web site's name that you visit frequently -- and I mean any Web site -- there is a high likelihood that it was, at least once, infected by malware that spread to visiting users. Even anti-malware vendor Web sites are falling like hot potatoes. Many of the Web sites unknowingly carried malicious advertisements in their banner ads. Others are hacked using Web site vulnerabilities, PHP issues, SQL injection, and so on.

The defenses are to make sure your systems are fully patched, both OS and applications, and to educate your end-users about client-side vulnerabilities:

1. Client-side vulnerabilities are one of the biggest threats they face 2. They can no longer automatically trusted legitimate, well-known Web sites 3. Pictures, video, and active content (such as Flash) can be used to take over their PCs 4. Do not install unapproved client applications

Day after day, I read about how some large store, bank, or government site was taken over by a client-side-initiated attack. Many system administrators are struggling with improving their security. Let this column be your banner.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Roger A. Grimes

Roger A. Grimes

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?