You Are the Weakest Link!

An article by Brian Krebs from the Washington Post discusses the impact of research by Richard M. Smith which details a large number of potential vulnerabilities in third party ActiveX controls. This research is scary and paints a grim picture on the state of desktop security.

Also in the news is the latest winamp flaw is being exploited to install malware.

The bottom line here is that the new battleground for desktop security will not be the OS or the browser but it will be third party applications. The reason is fairly simple - bad guys go for the largest base of easy targets.

It sounds overly simplistic but why would bad guys put monumental effort into developing the next exploit if the target has a reliable mechanism to update within 30 days. I'm not saying that all IE users are updating their browsers with every MS security update but the number is rising all the time.

Think of the goldmine of third party applications that can be exploited on most browsers - java, flash, winamp, quicktime. Most of these applications rarely get patched and even the most corporations pay little attention to these.

This is exactly the reason that spyware authors can use a 18 month old java vulnerability and catch most Internet users off guard. After all the work we've done getting people to patch Windows and IE it looks like we're back to the drawing board....