I had an interesting discussion with a client this week. They were trying to understand how several recent outbreaks of malware had gotten past their existing defenses.
In reviewing their architecture, it became clear that while they had an established process for patching Windows and Office, they hadn’t yet extended the process up the stack to their common desktop elements like the Adobe Acrobat reader, Adobe Flash, various media players, antivirus, Firefox, Chrome, Safari, and any other software element that was present in a majority of their desktops.
As we get better at patching the OS level and as the OS vendors get better at writing more secure software (Apple still has some work to do…), the bad guys are turning their attention “up the stack” to applications and users. Applications which are present on lots of endpoints are an attractive target.
Adobe’s recent zero-day vulnerability in Acrobat (where a malformed PDF could be used to execute arbitrary code) drove this point home. Do you know what version of Adobe is installed on each and every machine in your organization? Have they all been patched? How about Firefox? Chrome? We have got to get a handle on common desktop software versions and the patches that come with them.
The attackers are moving up the stack. So should we – by extending our existing vulnerability and patch management processes to include all common desktop software elements.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.