We help IT Professionals succeed at work.

client side outdated software query.

pma111
pma111 asked
on
How specifically do attacks which target outdated software on a windows device, e.g. something assigned to an employee for daily duties such as a laptop/desktop, actually occur? Do they always require some form of user mistake, or does the very fact the software is outdated pose a problem regardless of tricking a user into some form of action?

I was thinking of things such as iTunes/adobe/java/none MS browsers as was suggested in another post as some of the higher risk 3rd party apps in terms of targets for hackers. I was just trying to identify some scenarios where those kinds of things could be exploited perhaps from someone external to the company.
Comment
Watch Question

BRONZE EXPERT
Distinguished Expert 2019
Commented:
The answer depends on the vulnerability.

For example, a recent IE vulnerability required a specially crafted website that would throw particular types of data that exploited the jscript.dll file. The only user interaction involved in the machine being exploited was simply hitting a website. (If site of a legitimate partner were compromised and crafted to exploit the an unpatched, is it a user error?)
btanExec Consultant
SILVER EXPERT
Distinguished Expert 2019
Commented:
The way the exploit comes hitting the unpatched machine is via common threat scenario in a number of ways:

  • Spear phishing emails attached with files (e.g., Microsoft Office documents, Adobe PDFs, or other software executables or components) embedded with an exploit
  • Phishing and spam emails socially engineered to lure unwitting recipients to click URLs and links to malicious or compromised websites hosting an exploit (watering hole attack)
  • Exploit kits whose attack chains involve malvertisements and malicious sites that host exploits
  • Compromising a system, server, or network — either through brute-force and dictionary attacks, misconfigurations, or inadvertent exposure to the internet — where attackers can then use exploit-laden malware

You are also right that SME can be targeted as they likely has not been keeping dated in all systems and another scenario is via the supplier who has reach to the customer system. Threat actor pivot through the supplier compromised machine to get into your network and data. The link has more example which may resonate on my sharing.

https://www.ninjarmm.com/blog/it-horror-stories-why-unpatched-software-hurts-business/

Hello ThereSystem Administrator
BRONZE EXPERT
Distinguished Expert 2018
Commented:
It doesn't mean that you better won't install such software. You can use it without concerns if you patch regularly. Patching vulnerable software regularly really reduces security risk.

An example:
Victims received emails with short links to the malicious website generated by the Google URL Shortener. After they download and open a Word document, the attack exploits a Flash vulnerability and opens a cmd.exe which is then, remotely injected with a malicious shellcode that connects back to the malicious domain. The shellcode downloads an m.db dll from the same domain, executed by using regsvr32 process in order to be able to bypass security mechanisms. As a result, victims unknowingly hand over the control of their systems to a hacker.
BRONZE EXPERT
Commented:
Teach users (constantly) not to click on links in email.  They should always go to the web browser and log in directly to the site they need to access.  Links are conveniences, but that convenience is the enemy of security.  Windows itself is actually quite secure these days.  Users have to run something to get access.  It's now quite difficult, but not impossible, for remote access takeover of a system without tricking a user to give them access first.

Depending on the software, you should be updating the software all the time.  Things such as web browsers (Chrome, Firefox, etc..) should always be updated.  They're used by users all the time and malicious website links could conceivably take over a system by just visiting them, similar to how easy it was with Outlook years ago, when they autoran macros and auto-downloaded links.

You can remotely and silently install browsers for the users if you're domain admin or have Administrator access on their non-domain computer.