Monday, December 15, 2008

FireFox, iTunes, Skype Amongst Top Apps With Most Security Holes

Bit9, Inc., the pioneer and leader in Enterprise Application Whitelisting, unveiled its annual ranking of popular consumer applications with known security vulnerabilities. This year's list, know as "the dirty dozen", is comprised of 12 widely used applications with known vulnerabilities.

Five of the top 12 applications include: Mozilla Firefox, versions 2.x and 3.x, Adobe Acrobat, versions 8.1.2 and 8.1.1, Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1, Apple iTunes, versions 3.2 and 3.1.2 and Skype, version The remander of the list includes products from Yahoo, Symantec, Sun, Trend Micro, Citrix, Aurigma and Lycos.

Each of the 12 applications on the list have the following characteristics:

  • Each application must run on Microsoft Windows.

  • Is well-known in the consumer space and frequently downloaded by individuals

  • Is not classified as malicious by enterprise IT organizations or security vendors

  • Contains at least one critical vulnerability that was:
    • first reported in January 2008 or after,
      registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
    • Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

  • The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.

While Bit9 says most all of the vulnerabilities listed have been patched they point out the fact that these patches aren't easily deployed by IT administrators, who many not even know what programs employees are running.

"The nature of these applications is such that the user is responsible for implementing the patch. Enterprise IT organizations can not reliably ensure these patches have been properly applied—if at all—representing an inherent exposure in protecting the enterprise network."

As we all know workers enjoy downloading software to their workstations that they feel either makes their life easier or the work day a little funner. This list outlines how much of a security risk that practice could be to companies.

The complete Bit9 report can be downloaded here, registration is required.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you