Most vulnerable apps: Apple and Mozilla "well" represented
Bit9, an endpoint security vendor, has released a list [registration required] of the most vulnerable Windows-based applications. To be included in the list, each application...
1) Runs on Microsoft Windows.
2) Is well-known in the consumer space and frequently downloaded by individuals.
3) Is not classified as malicious by enterprise IT organizations or security vendors.
4) Contains at least one critical vulnerability that was:
a. first reported in June 2006 or after,
b. registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and c. given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
5) Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
While the Bit9 notes that the vendor may have released patches, it is the user who must implement the patch, and problem when users are unaware of the need for the software to be updated or patched.
Here's the list
Yahoo! Messenger 8.1.0.239 and earlier
Apple QuickTime 7.2
Mozilla Firefox 2.0.0.6
Microsoft Windows Live (MSN) Messenger 7.0, 8.0
EMC VMware Player (and other products) 2.0, 1.0.4
Apple iTunes 7.3.2
Intuit QuickBooks Online Edition 9 and earlier
Sun Java Runtime 1.6.0_X
Yahoo! Widgets 4.0.5 and previous
Ask.com Toolbar 4.0.2.53 and previous
Note that FireFox is #3. How did "the only safe browser" get listed as #3 in a vulnerability list?
I also noticed that while Mac users like to brag about how safe Macs are, Apple seems to be making a lot of vulnerable software for Windows.
Bit9's point is that these are of extra concern because while they contain serious security vulnerabilities, they are too often overlooked and presumed to be safe.
Sometimes your greatest weapon can be your enemy's arrogance. But at the same time, your enemy's greatest weapon can be your own arrogance. The arrogance that makes one assume an application is completely safe, can become a serious vulnerability.
The healthiest people are not those that never, ever get sick, but those who get sick just enough to build up a strong immune system. The same goes for companies that make software.
Posted by Danny Carlton at November 8, 2007 6:53 AM
Comments
This is somewhat deceptive.
Bit9's business is producing software for the corporate world to prevent users from loading unauthorized programs on their work computers. It is only logical they would focus on ubiquitous applications such as these within their PR piece.
You have to go out of your way to not install updates with Firefox. In a corporate environment I could see some people not allowing the updates, but the sort of person that uses Firefox is more likely to be a computer enthusiast that demands more security and features than Internet Explorer offers so I consider this argument a stretch if not altogether moot.
I also wish to point out that Apple's software written for the Windows platform is not necessarily indicative of "how safe Macs are". I think the argument mac users make is that their operating system is inherently more secure.
Posted by: Santo Gold at November 8, 2007 8:10 PM
It's worth noting that just because software is present on this list no way implies that it is less secure than other offerings in it's market. Firefox for example, which was pointed out in the entry, ranked #3, but has suffered from fewer vulnerabilities than Internet Explorer according to both Secunia and SecurityFocus. The vulnerabilities it did suffer from were also less severe, and fixed more quickly. The reason that Internet Explorer isn't present on this list is that this list is a basically a promotional prop being used by Bit9 to attempt to sell their product, and is in no way a valid denunciation of the products found on it's list.
Perhaps Danny was just intending to point out that there are flaws in systems other than Microsoft's. If that is the case, I can only respond with a resounding, "Duh." No software is perfect, and none of the software on this particular list are exceptions to that rule. How they compare to their closest competitors is a more relevant question.
Posted by: Mike at November 8, 2007 10:07 PM
I actually authored this list for Bit9 and I'm glad to see it is sparking discussion - that's always one of my goals in writing.
I definitely agree with your points about IE vs Firefox when it comes to the inherent vulnerabilities of the software. But I thought it'd be worth explaining my reasoning - and I'd love to hear what you think.
This list is geared primarily towards companies who manage their users' PCs. And despite IE's many flaws, there is a very good system in place for companies to hear about problems, deploy the patches, and ensure that everything is kept up to date.
With Firefox however, that's not the case for IT departments. I take issue with the fact that "Firefox users are more security-aware" - while many of them are, I for one have been recommending Firefox to all my family and friends, who install it based on my suggestion, but are certainly not tech-savvy in any way. This is simply not something that a company can depend on when assessing the overalls ecurity of their environment.
Check out my blog to see more about why we chose the vulnerabilities we did when it comes to IT. I'd love to hear your comments.
http://bit9.com/blog/home/tabid/15398/bid/2568/The-Top-10-Most-Vulnerable-Applications-for-2007.aspx
NOTE: I am under no obligation to preserve the incoherent mutterings of illiterate morons. I have no problem with people disagreeing with me, but make sure you actually know what you're talking about, or your comment will be removed.
