A constant patch and review process is essential to defend a company's IT resources.
Following a recent presentation by Secunia, where its research analyst director Stefan Frei spoke about the threat of unpatched PCs using multiple software packages, CTO of Idappcom Anthony Haywood said that the problem of inter-application security issues has been around ever since the Windows API was first seen way back in 1985.
He claimed that blaming third-party apps for security problems on PCs is the incorrect way of approaching the perennial problem of the way software applications interact with each other.
He also said that the gap between flaws being exploited and the IT team patching the flaw on a remediated basis needs to be addressed. “It's interesting to note that Secunia has developed its own auto-update application (PSI 2.0) which is free of charge and is actually a reduced feature version of the pay-for edition,” Haywood said.
“The good news is that the message about the requirement for timely patches appears to be getting through to the software vendor community, especially Adobe, which now has an auto-update mechanism for Acrobat, Flash and Reader, developed apparently after lobbying from users.
“When allied to a competent security advisory service, IT security managers can rest easy in their beds, sure in the fact that their IT resources are as well defended as it is possible to be with the resources that are now available.”
Talking to SC Magazine, Frei referred to a blog that said research found that full automation of updates delivery, requiring no user interaction (silent updates) outperformed other patching techniques found in popular web browsers.
He said: “Based on the ‘Insecurity Iceberg' we see silent updates as a desirable path to reduce the risk exposure of a large part of the internet population. However, there is this looming ‘loss of control' argument over mechanisms that silently update an application without any user interaction, especially when expert users require control over what is installed on their machines.”
He summarised this by saying: “We want automatic patching capability for software updates activated by default. This serves the large masses of unsavvy internet users but the automatic patching must be configurable, so that experts or enterprises could tailor it to their needs.
“There is no ‘one size fits it all' and we think that protecting users by default, while giving experts the means to configure the process, is the best approach to heighten security at large. This implies that software vendors should provide this capability in their products.”