Oracle Java became the most frequently exploited software in 2012, surpassing Adobe Reader and Adobe Flash, which were second and third respectively, according to recently released data from Kaspersky Labs. The security company's report also underscored the success of companies such as Microsoft in improving their patching practices, Channelnomics noted.
While Adobe and Microsoft Windows flaws were common targets for cybercriminals looking for exploits to distribute malware in the past, both companies have worked to reduce their threat profile by building features such as automatically scheduled updates into their code, according to Channelnomics. This year, just 3 percent of exploits reported in the Kaspersky study targeted Windows components or Internet Explorer. Adobe Reader was responsible for 28 percent of software security incidents involving vulnerability exploits, down from 35 percent in 2011, while Java flaws comprised 50 percent of the total, up from 25 percent in 2011.
Channelnomics explained that this disconnect arises in part from the fact that Oracle was not traditionally responsible for managing the security of its products, instead letting Microsoft and Apple manage updates for their respective operating systems. A spate of problems with Java has since prompted many experts to call for users to uninstall the program altogether, and Apple announced that Java will be disabled by default in future versions of its operating systems. Channelnomics writer Stefanie Hoffman speculated that Oracle may be expected to follow the model of Microsoft, Adobe and Apple in implementing regularly scheduled patch updates.
Strengthening software with better coding
A Bloomberg News article about the Kaspersky study noted that the common thread among a large number of recent software security and cybersecurity incidents has been flawed software or network design. Comparing software to the auto industry, the publication suggested that, while the dangers of hackers cannot be eliminated, they can be reduced, much in the same way airbags and seatbelt laws cut vehicular death rates. Experts noted the difficulty of setting legal standards for software security, suggesting that the pressure is instead on developers to build in security measures.
Bloomberg News reported that its analysis showed many of the hacks of the past year were due to basic, easily fixed flaws. One development expert noted that many enterprises may only have one security person per 500 or 1,000 developers, creating an impossible imbalance for tracking potential errors. According to Microsoft's general manager of product security, Matt Thomlinson, steps such as automating updates have been successful in reducing the number of incidents, but the best defense is strengthening code during development.
"I don't think you're ever going to get to the point where there are zero vulnerabilities," he told Bloomberg News. "We can remove vulnerabilities from the code, and that's what we've attempted to do."
By using source code analysis software, developers can reduce the number of exploits in their code and catch potential security issues without hiring security staff to match the number of programmers. As companies such as Microsoft demonstrate their own successes with strengthening their software, other organizations may see the effects of doing so and follow suit.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.