Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Web-based exploits on the decline, but users still slow to patch

Lucian Constantin | Jan. 21, 2015
The number of exploit kits on the Web dramatically decreased last year, but some have become more sophisticated and shifted their focus to software that is less frequently updated.

"Silverlight attacks, while still very low in number compared to more established vectors, are on the rise -- especially since August," the Cisco researchers said.

A greater adoption of automatic updates -- especially by organizations, which typically disable such features to prevent possible failures and incompatibility -- would be a solution to the outdated software problem.

However, while some desktop software vendors offer automatic updates, manufacturers of specialized hardware appliances and embedded devices are lagging behind.

The critical Heartbleed vulnerability in OpenSSL that was disclosed in April last year highlighted the difficulties that users have in deploying patches for non-PC software.

Many Web servers and browsers that rely on OpenSSL for secure encrypted communications were patched relatively quickly, but OpenSSL is also used by mobile phones, networking gear, hardware security appliances and a wide variety of other devices that are not easy to update.

"Cisco Security Research used scanning engines to examine devices connected to the Internet and using OpenSSL," the Cisco researchers said in the report. "The team determined that 56 percent of devices surveyed used versions of OpenSSL that were more than 50 months old. This means that despite the publicity given to Heartbleed, the security flaw in the handling of Transport Layer Security (TLS) discovered in 2014, and the urgent need to upgrade to the latest version of OpenSSL software to avoid such vulnerabilities, organizations are failing to ensure that they are running the latest versions."

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.