Creators of online attacks will look to exploit vulnerable applications, rather than operating systems, according to Matt Watchinski, Senior Director of Sourcefire’s Vulnerability Research Team.
“The bad guys are branching out,” Watchinksi told SearchSecurity ANZ. “We are all used to focus on patching our Windows boxes. Now it is the applications you run every day that you need to worry about, and those vendors are not as good [at distributing patches] as Microsoft. It (patching) is not integrated into your operating system, there is no magic button on your desktop that patches your instant messenger or peer-to-peer client, your Adobe reader and so on.”
The lack of patch management tools, Watchinksi said, will be keenly felt by security professionals
“Traditional patch management systems are focussed solely on operating system patches and make it very easy to roll out 10,000 patches to desktops. It is harder to push out fixes to Adobe Reader and get them all updated.”
“We are going to see, in my opinion, vendors like Adobe work to get the same kind of security Microsoft has. Instead of focussing on their core business – making PDFs look prettier – they are going to have to focus on making those applications manageable, so that they can be incorporated into corporate [patching] systems, or people are going to rip that software out of their enterprise.”
Watchinksi believes another likely source of attacks is Web 2.0 applications.
“I think in the next six months or a year we will see some really awesome – from an attack perspective – exploits on Google Apps. I think we will see something that effects a large number of people who use Google Docs or GMail.”
“We will see stuff very similar to the Facebook worms, that contact one person and then contacts all their friends. It will abuse some piece of that Web 2.0 infrastructure.”
Watchinksi said he believes the attacks are inevitable because of the complexity and immaturity of Web 2.0 technologies
“When you look at Gmail, it is a very complicated Web 2.0 application,” he said. “It does a lot of escaping HTML, a lot of escaping of Java Script. This is very difficult to do 100% right, 100% of the time. And they you have plugins like Firefox better Gmail that add a whole new layer. So perhaps you have someone start with one of these plugins that is not the core app, uses those things to their advantage and finds something that is core to Gmail.”
Similar attacks are already in the wild, Watchinksi said, citing an exploit he has seen that allowed attackers to send Gmail users a malware-laden email that allowed code to be executed on the client system.
“I think that is the beginning of this,” he concluded.