The Kodak Image Viewer threat highlights a useful, but unpleasant fact. Microsoft patched this product because it was distributed with Windows, but most of the other products you add to your computer are not patched automatically. Many vendors expect you to check with their Web sites to learn about flaws that need patching. The criminals know that—hence the new wave of attacks against applications. So many vulnerabilities are being found in applications (nearly 100 this week alone in commercial applications—thousands more in in-house developed applications) that large buyers of custom and packaged software have already begun telling their suppliers and outsourcers that proof of secure coding skills is a prerequisite for being allowed to work on software that will be deployed on enterprise systems.
Source: SANS @Risk Oct. 15, 2007, email newsletter.