Skip to main content
June 24, 2015

Ignore At Your Own Peril: Popular Third-party Applications Can have Vulnerabilities Too

Adobe has issued emergency patches to address a critical vulnerability in Flash Player versions and earlier for Windows and Macintosh systems. The vulnerability, CVE-2015-0311, has been exploited in the wild, via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. The vulnerability can potentially allow attackers to take control of an affected system.

The best course of action to mitigate the risk introduced by this vulnerability is to patch the application as soon as possible. We also recommend turning on the "right-click to run" feature for browser plugins. This will help protect against the drive-by-download attacks that have been seen in the wild. As Veracode's Chris Wysopal has put it, "who wants auto-running Flash content anyway?"

This vulnerability was disclosed back in January – almost six months ago. It is alarming that the patch for such a critical vulnerability is only available now. Adobe claims that more than 500 million devices are addressable with Flash technology. With so many devices using Flash, the reach of this vulnerability is staggering.

Branding vulnerabilities is in vogue, yet this vulnerability seems to have escaped that trend. We can be thankful we won't have to look at some sort of lightning bolt logo for the next several weeks. Yet, despite the fact the vulnerability was not branded, this presents an opportunity for security professionals to reassess their ideas about the security of third-party software.

As companies adapt to the digital economy, in which every company is a technology company, enterprises are purchasing an ever-increasing inventory of software in order to keep up with the pace of innovation. When one of these purchased applications has a critical vulnerability, it ends up impacting hundreds or even thousands of companies. Hackers know this, and so they are more likely to create exploits for vulnerabilities in widely used commercial software than a vulnerability in an enterprise-specific application. Basically, they get access to more systems for the same amount of effort.

This is why it is crucial that enterprises stop ignoring the elephant in the room that is vulnerabilities in the software supply chain. Wendy Nather, research analyst for 451 Group, spoke to several CISOs about how they address the security of the software they are buying. Turns out the approaches are as varied as the companies' business models.

Zero-day vulnerabilities will always exist. But our data shows that even enterprises with mature application security programs, which spend millions on security each year, can neglect assessing third-party software for security. This has led to some serious breaches, the most talked about may be the JPMC breach in late 2014. If a company that spends so much time, effort and money securing its internally developed applications can still be breached through the application-layer, any company can. That's why companies need to hold their software vendors to the same security standards to which they hold their own development teams. If enterprises are successfully able to push back on their vendors in this way, we will see a reduction in zero-day vulnerability disclosures because more vendors will be pushed to integrate secure development programs at their companies.

Author: Jessica Lavery

Jessica is part of the content team at Veracode. In this role she strives to create and promote content that will engage, educate and inspire security professionals around the topic of application security. Jessica’s involvement with the security industry goes back more than a decade at companies like Astaro, and Sophos where she held roles in corporate communication and marketing.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.