SANS Report Says Organizations Focusing On the Wrong Security Threats

yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."

Re:Can only apply the patches you get

[compro01]

I don't think the problem is lack of application patches being provided, but the lack of them being delivered well.

The problem as I see it is there is no good method of application patch delivery on Windows (And Mac for that matter). On Linux and BSD, you have package managers built into the distro that handles everything from the repositories (either the distro repositories or the application's repositories). On Windows, there is no such thing (Yes, there package managers available, but they are not included stock and aren't widely used) and every application has to handle things itself, either by checking on startup or adding yet another background process taking up resources, both of which are decidedly non-optimal solutions.

In the former, with infrequently used apps (Stuff like Adobe Reader comes to mind), you're going to have infrequent (and thus large) updates, which would result in something like "What? A 15MB update? I don't have time for that, I need to read this PDF." with the obvious consequences or the file being opened before the update option is presented, with the same result.