I had an interesting discussion with a client this week. They were trying to understand how several recent outbreaks of malware had gotten past their existing defenses.
In reviewing their architecture, it became clear that while they had an established process for patching Windows and Office, they hadn’t yet extended the process up the stack to their common desktop elements like the Adobe Acrobat reader, Adobe Flash, various media players, antivirus, Firefox, Chrome, Safari, and any other software element that was present in a majority of their desktops.
As we get better at patching the OS level and as the OS vendors get better at writing more secure software (Apple still has some work to do…), the bad guys are turning their attention “up the stack” to applications and users. Applications which are present on lots of endpoints are an attractive target.
Adobe’s recent zero-day vulnerability in Acrobat (where a malformed PDF could be used to execute arbitrary code) drove this point home. Do you know what version of Adobe is installed on each and every machine in your organization? Have they all been patched? How about Firefox? Chrome? We have got to get a handle on common desktop software versions and the patches that come with them.
The attackers are moving up the stack. So should we – by extending our existing vulnerability and patch management processes to include all common desktop software elements.