How Bad Software Updates Put Your Network at Risk

So you've identified that a user on (or attempting to join) your network has unpatched software that needs to be secured. How do you identify the offending program quickly and effectively? It could be their operating system, browser, Java, or even Adobe Flash!

As someone in the security field, you know that the majority of exploited vulnerabilities originate in a small group of applications. Even average users are being educated on this point and are taking better care to keep their software up to date. You may elect to deny this user network access or put them in a remediation VLAN, but then what? Ideally they receive a notification explaining that they were denied access or relegated to a remediation VLAN due to the presence of vulnerable software on their system, and they must update the software before being given full access.

What happens after the remediation notice is sent?

This probably all seems like standard operating procedure so far, but what happens after the user receives the remediation notification? As many organizations embrace BYOD and remote work policies, they also tend to adopt FYOD (fix your own device) policies. So this user will presumably open their favorite web browser, search for 'update Adobe Flash', and lead themselves through updating and remediating their compliance state. If all goes well, they'll be back on the compliant VLAN in no-time.

But what happens if that user performs a search from a toolbar and is lead to an untrustworthy advertisement disguised among the true search results, or simply has a typo in their initial search query? They could very easily click on a website serving malware disguising itself as a software update. And while it's common for malware and PUAs to disguise themselves as legitimate software, this has historically been freeware, shareware, gambling, and adult content (there are even entire groups of fake antivirus products that are really adware or malware). It has not been common for bad actors to use software updates as a vector.

TrendLabs has discovered an exact case and wrote a great report on it. They found an intriguing piece of malware that disguises itself as an update for Adobe Flash and uses a cached list of usernames and passwords to attempt to breach the router. Once it gets access, it then scans the local area network, steals data, and even deletes itself after sending its payload to a C&C server. It's an interesting tactic to take advantage of users that are already trying to improve their security.

Software Vulnerability Protection with OESIS

So aside from remotely patching these systems or maintaining an exhaustive list of trusted update sources and instructions, what's a network administrator supposed to do? We suggest using OESIS to detect and patch out-of-date software!

As you may know, the OESIS Vulnerability Assessment Module provides fast and accurate information about the patch state of hundreds of commonly exploited applications. What you may not know is the Vulnerability Assessment Module also has a method called GetRemediations that provides an easy solution to the above scenario, protecting your users and improving their overall experience.

In a sample workflow, the OESIS implementer would first enumerate all installed applications on the system, and then find any applications that are not up-to-date by using the GetProductPatchLevel method:

Using the OESIS endpoint assessment tool, I'm able to show that the installation of Dropbox on this computer is eight versions behind the latest publicly available release. At this point, sending a generic message to the user to 'upgrade their software' is a good start. But the next steps require the user to figure out how to update their software. This may sound trivial, but as TrendLabs has pointed out, it's a new vector for spreading malware. At this point, the OESIS implementer should call the method 'GetRemediations':

Notice that OESIS has returned the URL to the official source for downloading an update for the user's software. No need to send the user on a possibly dangerous mission or write-up application-specific instructions. Simply return the result.remediation_link to the user, and they are one click away from safely updating their software to the latest version. The same functionality can be seen in the 'Basic Mode' of the OESIS endpoint assessment tool:

This is the 'basic mode' of the endpoint assessment tool. The products listed in the top half, in orange, are not up-to-date. In this case, I'll click on 'Dropbox' to get more information.

The detailed page for Dropbox has opened. It shows some pertinent information about the product as gathered by OESIS, and it also provides an 'Update' button. Clicking this automatically loads the URL that was provided by the OESIS GetRemediations method.

The browser opens and the latest version of Dropbox is downloaded automatically. This ensures a simple and pleasant user experience.

OESIS makes the entire process fast, safe and easy for users. If you didn't think SSL-VPN and NAC remediation workflows could be user-friendly, think again. Think OESIS.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.