Bit9

Skip Navigation

Enterprise Application Whitelisting

Current Articles | RSS Feed RSS Feed

The Top 10 Most Vulnerable Applications for 2007

Posted by Brian Gladstein on Wed, Oct 24, 2007
Digg digg it | Reddit reddit | del.icio.us del.icio.us | StumbleUpon StumbleUpon 

We've just released our top 10 list of the most vulnerable applications for 2007. This is the second year we've put the list together, and it is focused on those applications that users tend to download. These apps are often very difficult for IT to see, let alone patch, and therefore represent unexpected and unquantified vulnerabilities in an enterprise IT environment.

 

To make it onto the list, the following criteria must be met. Each application:

 

  1. Must run on Microsoft Windows
  2. Must be well-known in the consumer space and frequently downloaded by individuals.
  3. Must not be classified as malicious by enterprise IT organizations or security vendors
  4. Must contain at least one critical vulnerability:
    • first reported in June 2006 or after,
    • registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and
    • with a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
  5. Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

 

It is important to note that in most cases, the vendor or publisher of the applications on this list has already produced a patch for the particular vulnerability or vulnerabilities reported here. But at a company, there is usually no way that IT can ensure that the patch has been properly applied - that's requirement #5 on the list of criteria above.

 

Last year when we released this list, a lot of people commented on how we left off so much Microsoft software - some even going so far as to say that Microsoft sponsored this research! So let me be clear - this is entirely produced and financed by Bit9. The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same can not be said for apps like Firefox, iTunes, and other packages.

 

You can download the full list of vulnerable applications here which includes the specific versions, the vendors' solutions, the nature of the vulnerabilities, and references to the CVE numbers for the identified vulnerabilities. Also, you can learn what to do to help protect your company from vulnerable applications like these.

 

So without further ado, here are the apps on the list. Do you have a comment about it? Please submit!

 

  1. Yahoo! Messenger 8.1.0.239 and earlier
  2. Apple QuickTime 7.2
  3. Mozilla Firefox 2.0.0.6
  4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
  5. EMC VMware Player (and other products) 2.0, 1.0.4
  6. Apple iTunes 7.3.2
  7. Intuit QuickBooks Online Edition 9 and earlier
  8. Sun Java Runtime 1.6.0_X
  9. Yahoo! Widgets 4.0.5 and previous
  10. Ask.com Toolbar 4.0.2.53 and previous

Tags: , , ,

COMMENTS

This is a great article!

posted @ Thursday, October 25, 2007 12:33 AM by Brian P Halligan

Thanks for the information, very helpful to know and I've followed your advice and updated both my home and work machines to the more secure versions.

posted @ Monday, October 29, 2007 8:55 PM by Drew Smith

You went to quite some effort to get Firefox on that list at all, Brian. To underline your hints, Firefox 2.0.0.6 was already two versions old when your "results" were originally posted--at the time of writing, the Windows machines in my office have all been updated to Firefox 2.0.0.9. (Incidentally, all the user is "relied on" to do is click a button saying "Ok, install the update." I agree that it would be wonderful if Microsoft would allow Mozilla to add its updates to the Windows update tool.) Here is the critical vulnerability in Firefox 2.0.0.6: http://www.mozilla.org/security/announce/2007/mfsa2007-28.html After Mozilla patched this in Firefox's next release, Internet Explorer was still vulnerable: http://larholm.com/2007/09/19/quicktime-qtnext-0day-for-ie/ Yet because of the arbitrary rating system here employed, you are presenting Internet Explorer as less vulnerable than Firefox! To be fair, you do explain why your rating system is useless (Microsoft is automatically above reproach), but your energy may be better spent encouraging user awareness (such as "click YES when Firefox asks if you'd like to update") rather than presenting spurious bullet points discouraging adoption of a more secure web browser.

posted @ Monday, November 05, 2007 4:27 PM by jdb

what about Internet Explorer !!!!! :thumbdown:

posted @ Wednesday, November 21, 2007 9:51 AM by lord_nara

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Receive email when someone replies.

Subscribe by Email

Your email:

Latest Posts

Posts by Month

Browse by Tag


Hubspot Site Analysis