Importance of managing unpatched third-party software

We often take managing third-party software for granted. More specifically, the security vulnerabilities associated with third-party apps are often overlooked altogether, from media players to FTP clients to document viewers. Microsoft doesn't completely dominate our desktops. In fact, I'd venture to guess that the average business computer has as many or more third-party applications running than standard Microsoft applications. Given the fact that researchers and hackers are heavily targeting all the non-Microsoft software on your computers, you've got a pretty sizeable security problem on your hands.

Third-party patching
Microsoft vs. third-party tools for patching

Are off-cycle, third-party patches trustworthy?
From a network security and administration perspective, it's easy to think that unsupported software shouldn't be running anyway – so why bother keeping it patched? It's out of your domain of support and administration after all. Acceptable usage policies defining what users can and cannot install are fine but they're usually violated. The reality is that you can have all the controls and policies in the world but people are still going to install and use third-party applications.

At best – even with the built-in patching features of many third-party apps – they may only be somewhat up to date. It's simple for the user to just say no when the programs prompt for a new version to be downloaded and installed. But it's this very window of opportunity that leads to the unnecessary security exploits businesses experience today.

Recently, Core Security Technologies released five exploit modules for its Core I,pact product affecting applications like OpenOffice, WinPcap and RealPlayer. It's the same deal with Metasploit. Just take a look at its current exploit list and you'll see that the majority of exploits do not target Microsoft applications but rather third-party or competitor apps – many of which run on Microsoft Windows. New exploits are being developed all the time.

All it takes is an attacker with access to your network (i.e., a rogue internal user or an outsider exploiting someone's wireless connection) and a tool like Core Impact or Metasploit and he'll "own" any system running these vulnerable applications in a matter of minutes. Speaking from experience, when using Metasploit, it literally takes just two to three minutes to obtain a remote command prompt with full administrator rights to create backdoor accounts and then some on a system that's running exploitable third-party software.

Don't just ignore third-party applications because they're not supported or because you don't have a good way of managing and patching them. These programs are installed – and will continue to run – on your Windows systems indefinitely, and Microsoft cannot and will not make every type of software we need. An acceptable usage policy is good; however, you need a patch manager that can handle the applications, plus some vigilant and consistent security testing to keep third-party vulnerabilities from wreaking havoc on your Windows network.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.


This was first published in October 2007

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top