BSI Top 10 in a Nutshell: Patch These Software Packages
Last updated on: September 6, 2020
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) is responsible for IT security within the German Federal government. In addition they work on IT security standards for Germany and are moving into a national incident tracking function as well. In December 2014 they published their yearly report summarizing the IT security state in Germany as "critical", with attacks rising, German companies leaking data and exposing their infrastructure to even physical damage. Much of it is due to a 'Digitale Sorglosigkeit', a digital carelessness where the IT industry does not pay attention to avoidable threats.
They pointed out a number of products that are constantly under attack and that require your attention to track and patch. They mention an efficiency of 95% for these type of defensive measures.
We agree wholeheartedly, even though some of the above mentioned software products seem more urgent than others. Here is our take on the list, we reordered from alphabetical to priority based and struck out software we do not see as attacked as often:
What do you think? Are Google Chrome, Firefox and Thunderbird worth including in your list of high priority items?
It’s saddening to see that there’s an obvious bias towards Apple on this blog post. Qualys has always been an unbiased place for security.
The tags on this blog specifically exclude Apple and the comment at the end is exclusive of Apple as well.
Personally, I feel that Apple should be included in this list along with all of the other crossed out software/platforms. As Apple becomes more and more prevalent in the computer market-share (currently sitting at 6.9%) hackers will want to target the OS. For some reason many people have always assumed that Apple by nature is secure. This is in fact, far from the truth. Vulnerabilities such as rootpipe still exist as exploitable via physical access in OSX 10.10. Furthermore, Apple has publicly stated that no versions prior to 10.10 will be patched for rootpipe which makes all of those operating systems vulnerable. The market-share for versions prior to and including 10.9 stands at approximately 40%. I have only touched on one vulnerability, but there are many others shared with Linux based systems including MITM OpenSSL.
If you’re going to recommend updates as a security consultant or company you should not exclude anything because of popular belief or lower chances. Hackers want to go the easy route. If over 80% of the word is working on Windows with 50% of those running outdated Java, sure the numbers are compelling to justify immediate remediation and updates. Just because Apple, Mozilla and Linux are on the lower end of the market-share doesn’t mean that we should advise against or take a neutral stance at being proactive with updates and security patches.