Neglect of software upgrades underscores need for secure coding

Neglect of software upgrades underscores need for secure coding

on Jun 4, 13 • by Chris Bubinas • with No Comments

Attackers recently used a zero-day vulnerability in Internet Explorer 8 to target employees at U.S. government agencies, prompting discussion about the challenges of keeping large organizations that are slow to make changes secure. Given the difficulty of ensuring organizations make necessary updates, programmers...

Home » Software Security » Neglect of software upgrades underscores need for secure coding

Attackers recently used a zero-day vulnerability in Internet Explorer 8 to target employees at U.S. government agencies, prompting discussion about the challenges of keeping large organizations that are slow to make changes secure. Given the difficulty of ensuring organizations make necessary updates, programmers should work to strengthen software security as much as possible in the development process.

Security researchers first noticed the IE8 vulnerability being used in a watering hole attack on the U.S. Department of Labor website. JavaScript on the site would redirect visitors using IE8 on Windows XP to a malicious site. The exploit appeared to be targeting Department of Energy employees involved in nuclear weapon development. The flaw does not appear in newer versions of Internet Explorer. Microsoft issued a patch for IE8 on May 14.

Attackers were likely drawn to targeting the government agencies because they knew that many departments continue to use outdated versions of Windows and IE, according to CSO. Given the cost and complexity of managing updates in such large organizations, many remain slow to implement changes or install new software. In some cases, adopting new software would create system-wide complications.

“There’s a lot of government agencies, and commercial entities as well, that simply cannot upgrade to these latest versions,” Eddie Mitchell, a security researcher for Invincea, told CSO. “They have internal applications, HR (human resource) applications, payroll applications and such that were designed explicitly to work with Internet Explorer 8, which is why these organizations are still vulnerable.”

While developers may assume that they can address software security with future updates or releases, the reality is that many organizations continue to run outdated software. As a result, security should be a focus from the outset of any development process. Using tools such as static analysis software, programmers can catch errors before they are released, minimizing the likelihood of zero-day vulnerabilities being targeted years down the line.

Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Scroll to top