Bit9

We've just released our top 10 list of the most vulnerable applications for 2007. This is the second year we've put the list together, and it is focused on those applications that users tend to download. These apps are often very difficult for IT to see, let alone patch, and therefore represent unexpected and unquantified vulnerabilities in an enterprise IT environment.

To make it onto the list, the following criteria must be met. Each application:

1. Must run on Microsoft Windows
2. Must be well-known in the consumer space and frequently downloaded by individuals.
3. Must not be classified as malicious by enterprise IT organizations or security vendors
4. Must contain at least one critical vulnerability:
• first reported in June 2006 or after,
• registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and
• with a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
5. Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

It is important to note that in most cases, the vendor or publisher of the applications on this list has already produced a patch for the particular vulnerability or vulnerabilities reported here. But at a company, there is usually no way that IT can ensure that the patch has been properly applied - that's requirement #5 on the list of criteria above.

Last year when we released this list, a lot of people commented on how we left off so much Microsoft software - some even going so far as to say that Microsoft sponsored this research! So let me be clear - this is entirely produced and financed by Bit9. The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same can not be said for apps like Firefox, iTunes, and other packages.

You can download the full list of vulnerable applications here which includes the specific versions, the vendors' solutions, the nature of the vulnerabilities, and references to the CVE numbers for the identified vulnerabilities. Also, you can learn what to do to help protect your company from vulnerable applications like these.

So without further ado, here are the apps on the list. Do you have a comment about it? Please submit!

1. Yahoo! Messenger 8.1.0.239 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 2.0.0.6
   
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition 9 and earlier
8. Sun Java Runtime 1.6.0_X
9. Yahoo! Widgets 4.0.5 and previous
10. Ask.com Toolbar 4.0.2.53 and previous
    

There's been a lot of discussions about whitelisting lately. I thought I'd share a few of the ones I have been reading:

1. Sign Me Up For Whitelisting by Jason Brooks
2. Whitelisting and Elegence by Larry Seltzer
3. Delist This Security Idea by Jim Rapoza
4. Antivirus Whitelisting: The Bad and Good by Mary Landesman
5. With the Right Tools and Perspective, Whitelisting Can Work by Andrew Garcia

When you buy a security product, do you want to know how well it did against malware that was out last year? Or do you want to know how well it protect you from attacks in the future? The answer is obvious.

Well apparently organizations like AV-Test.org think you don't care about malware that will come out tomorrow... or even what is out there today. It may shock you to learn how they have been conducting their testing. They basically pre-load a pile of malware on a PC and stick an antivirus solution against it. Effectiveness is measured by how much malware is found and stopped.

So basically - when malware comes onto the machine through an email... when a known vulnerability is patched... when a user visits a webpage that contains a drive-by... all these attacks mean nothing against the test.

Nor does any malware that is coming out today. Or tomorrow. Or even just a couple of days ago. Because the malware that is used for the testing is an old sample that the AV vendors have every opportunity to write specific signatures for. That doesn't represent the way your PCs when they are actually on the Internet. It's a joke!

Here's an article from The Register that is describing how finally, people are thinking about considering a different testing approach that incorporates additional aspects of desktop security like behavioral HIPS and patching and firewalls. It's about time.

Still, how can you trust the results of a test that can't even tell you something so simple as "how infected does a computer on the Internet get with a given protection scheme?"

If you ask me - this is what is wrong with the endpoint security industry today. Too many people patting themselves on the back for fighting malware, and not attention paid to real-world effectiveness.

What do you think? Please comment...

Much has been said on the topic of the convergence of IT Security and IT Operations. We all see the trend - or steady march now - towards an integrated business function where security is built into every process and aspect of how information technology is managed at a company.

The security industry welcomes this because, let's face it, it's a fight to get people to pay attention to security. System admins too often view security as an afterthought, and one that is rarely prioritized the way it ought to be.

But what few people in the security industry seem to realize is that IT security has become too complex for most administrators on the operational side. Malicious software has become so hard to detect - and malicious behavior is so hard to distinguish from legitimate behavior - that the amount of attention a typical admin must pay to overseeing security audit trails and policies is overwhelming.

Let's look more at the situation on the desktop. Think of how many layers of security now exist on a PC: antivirus, antispyware, personal firewall, HIPS, popup-blockers, URL filtering... the list goes on. Each of these tools has its own security policy, its own set of audits and reports, its own management interface. And as IT security organizations succeed in pushing these tools onto enterprise desktops, it is the IT operations group that has to deal with it all.

Even where agents and consoles are integrated or combined, each technology has its own unique philosophy - meaning that the policies require specialization to properly implement. And after all, it is the implementation of the policy that determines how well the underlying assets are protected. A nuclear power plant can have all the right precautionary procedures in place, but if the workers refuse to follow them... meltdown.

So what is the real effect on an IT organization and its security effectiveness? If security is too complex to manage, IT admins either set policies too loosely (so what's the point of the security layer) or they make too many configuration errors (which often eliminates security benefits). Plus, the specialization required to operate these tools means additional training, additional headcount, or similar impact on cost and operation. This trend is sadly only getting worse.

That's where whitelisting comes in. Whitelisting represents a complete reversal in thinking. The skillset required to identify a "good" or "authorized" piece of software is far more common in existing IT organizations. Customer like that - it's easy for them to implement, it sets a higher security baseline, and significantly reduces the threat surface they need to devote attention to.

There has been a lot of discussion lately about whitelisting as a security technology. Several experts appear to be questioning its effectiveness against emerging threats (a point I am happy to argue, by the way). They claim that whitelisting simply can not substitute for the many researchers who devote their lives to identifying malicious software.

But I put the question back to the industry: if the technology we create to identify malicious software is too complex for people to use - have we really done our jobs? Have we successfully crossed from the theoretical to the practical? Are we really protecting people? Personally, I don't think so. That's what whitelisting represents for me - and for many of our customers - the most practical way to converge desktop security and operations.

• Data breaches have affected in excess of 230 million accounts (those are just the ones they can estimate)
• So far in 2007, about 75% more people have been affected by a data leakage event than in 2006 (the year is not over)
• The number of recorded breaches has been going up exponentially for the past few years - until this year, when the number appears to dip a little. Of course the year is not over, but the average number of stolen accounts per incident is dramateically higher.
• The top 3 types of data stolen are: Credit Cards (104M), Social Security Numbers (68 M), and email addresses (30M)