For many IT pros and others in the software security community, the threat of an application vulnerability is often considered as fully addressed once the vendor responds and releases a patch. Generally, those in the IT world assume that once a vulnerability is patched, the burden of protection is on the user. The reality, however, is that vulnerabilities continue to be a threat to end users long after they are addressed.
A recent report from security researchers at Fortinet’s FortiGuard Labs noted that attackers are still targeting a number of old vulnerabilities that were announced and patched earlier this year. In fact, some of these vulnerabilities are easier to search for and take advantage of than they were when they were first announced.
Ruby on Rails
For instance, a critical vulnerability in the Ruby on Rails Framework that could enable a remote code execution on an underlying Web server was discovered in January. RoR is used on hundreds of thousands of websites, and there is now a Metasploit module available to scan for the vulnerability, making it easy for attackers to find plenty of vulnerable servers to target.
“RoR was patched to correct the flaw, but four months later it was discovered that an attacker or attackers was searching for and exploiting, unpatched Web servers in order to infect them with software,” said Richard Henderson, a security strategist for FortiGuard Labs.
Java and Adobe
Similarly, a Java zero-day discovered in January that enabled attackers to bypass Java’s sandbox and run arbitrary code has been a part of exploit kits such as BlackHole, RedKit and Nuclear Pack for months. A Metasploit module makes it easy to search for this flaw as well. While Oracle patched the vulnerability with model alacrity, it has continued to be targeted.
In July, researchers at Polish firm Security Explorations discovered an issue in Java 7’s Reflection API that enables attackers to bypass Java’s sandbox and remotely execute code on an underlying system, IDG News Service reported. The attack is effectively a “classic” attack that has been known for at least 10 years, prompting questions about the level of code review being exercised in new versions of Java.
A flaw in Adobe Reader, discovered in February, used a malicious PDF file to install malware on users’ computers. The flaw was patched within weeks, but it is still being used by cybercriminals to attack unpatched systems, FortiGuard Labs reported.
Security researchers often note that the bulk of known threats can be prevented simply by keeping Java and Adobe – two of the most frequent hacker targets – up to date. As FortiGuard Labs’ research shows, however, many users simply do not take such precautions, meaning that software security issues addressed months ago by the vendors continue to pose a threat.
Given the ongoing challenge of making users update their systems, the most reliable protection for application developers is to design code as securely as possible. Using tools such as static analysis software and code review programs, developers can catch errors during the programming process, minimizing the danger of threats lingering far into the future.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.