Top vulnerable applications in 2009

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Bit9 unveiled its annual report on the top popular consumer applications with known vulnerabilities. The list, published in the research brief is created for IT professionals, who are responsible for providing secure and well-managed computers while at the same time dealing with users who download software that is vulnerable to malicious attacks and is often not approved by company policy.

The software on the list often runs outside of the IT department’s knowledge or control and can lead to data leakage risk and compliance breaches.

This year Adobe applications top the list with four applications identified in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database. Adobe Acrobat, Flash Player, Reader and Shockwave had vulnerabilities that were rated “High” including ones that allowed remote attackers to execute arbitrary code, trigger memory corruption, denial of services or application crashing.

Other vulnerable applications on the list include:

  • Apple Quicktime
  • Mozilla Firefox
  • Opera
  • RealPlayer
  • Sun Java
  • Trillian.

The applications on the list meet the following criteria:

  • Runs on Microsoft Windows
  • Is well-known in the consumer space and frequently downloaded by individuals
  • Is not classified as malicious by enterprise IT organizations or security vendors
  • Contains at least one critical vulnerability that was:
    • First reported in January 2009 or after
    • Registered in the NIST official vulnerability database, and given a severity rating of high (between 7.0-10.0) on the CVSS
    • Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists
    • The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.

In most cases, vendors have issued patches for eliminating identified vulnerabilities, but the enterprise is still at risk because the end user is often responsible for implementing the patch. And this year there were some exceptions to this, with vendors taking up to a month to release patches after vulnerabilities were publicly disclosed. Enterprise IT organizations that are not monitoring their endpoints have no reliable way to ensure that these patches have been properly applied. Enterprises and government agencies that do not have application controls in place are not able to protect against the zero-day attacks in which no patches or fixes exist.

And while Microsoft Explorer does not fit the criteria, it received an “honorable mention” due to the public release of a zero day exploit targeting IE users in August. The vulnerability, which went un-patched for three weeks, demonstrates the importance of application control, automated patch management and professional vulnerability reporting. Combining security efforts and adopting a layered approach to IT risk management can greatly reduce the costs associated with data loss, malicious code and compliance breaches.

“These popular applications are frequently downloaded to laptops and desktops by users and can present unnecessary security risk to IT and business operations,” said Tom Murphy, chief strategy officer, Bit9. “We are seeing a growing number of applications within the enterprise creating security risk that can be prevented through better visibility across endpoints, a more centralized patch-management process, and application whitelisting to prevent the use of unauthorized and potentially malicious software.”