12 Top Popular Applications with Critical Security Vulnerabilities

A key element of successful risk management is mitigating the risk of security vulnerabilities. Bit9 research shows that enterprises face a substantial risk from critical flaws found in popular applications.

Enterprise Risks Revealed

To highlight the risk enterprises face from popular applications that remain unknown and unmanaged by the IT department, Bit9 announced the "2008 Most Popular Applications with Critical Security Vulnerabilities"—an annual list and research report based on public research from the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database.

What has been a 'Top 10' list in previous years, the 2008 edition was bolstered to become "The Dirty Dozen." This increase to 12 applications is due in large part to the increased number of non-secure consumer applications, and the widespread adoption of these highly popular programs, such as Skype and Yahoo! Assistant.

The list and accompanying research report are designed to raise awareness. These applications often run outside of the IT department's knowledge and control, creating serious security risks for enterprises. Each of these vulnerable applications contains doors into the enterprise that can be used by malicious hackers. IT departments need a way to shut these doors—centrally and automatically—without relying on their end users. IT also needs a way to address the lack of visibility into what applications are being downloaded and run on their employee's computers and also a way to control the execution of software that is not authorized by company policy.

Of the 12 applications identified, here are five that you almost certainly know. Again, these applications were selected for being widely-used (there are over 500 million downloads of Firefox), and then ranked based on the number of specific vulnerabilities they contained—and these vulnerabilities had to be rated "high", between 7.0—10.0, on the Common Vulnerability Scoring System (CVSS).

Firefox had 40 high CVSS vulnerabilities, making them number-one on the list. Some others are listed below are in no particular order.

Mozilla Firefox, versions 2.x and 3.x
Adobe Acrobat, versions 8.1.2 and 8.1.1
Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1
Apple iTunes, versions 3.2 and 3.1.2
Skype, version 3.5.0.248

Note that in most cases, the The entire list of vulnerable applications can be downloaded.

What Can Be Done?

Define a control policy for applications. Answer questions such as: What applications will we authorize users to install on their own? If vulnerability is found, what is the proper recourse?

Understand where the applications are. An unknown vulnerability could jeopardize sensitive data—and your company's reputation—if a laptop connects to a public Wi-Fi spot.

Monitor the Internet for new vulnerabilities. Excellent resources are available at sites such the National Vulnerability Database (http://nvd.nist.gov), the SANS Institute (http://www.sans.org).

Monitor your PCs using software identification services. Services such as the free FileAdvisor (http://fileadvisor.bit9.com) let you look up any file and identify its product, publisher, security rating, and more.

Enforce application controls using application white listing solutions. Anything not on the white list won't execute—whether it's a targeted attack, one of these vulnerable applications or a malicious payload.

The List Criteria

Each application on the list has the following characteristics:

Runs on Microsoft Windows.
Is well-known in the consumer space and frequently downloaded by individuals.
Is not classified as malicious by enterprise IT organizations or security vendors.
Contains at least one critical vulnerability that was:
- first reported in June 2006 or after
- registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
The application cannot be automatically and centrally updated via enterprise tools such as Microsoft SMS & WSUS.

Harry Sverdlove is chief technology officer for Bit9, Inc., a provider of enterprise application whitelisting solutions.

Comments

enterprise applications

More from IT Drilldown « Back to Security

Articles

Global Warming Research Exposed After Hack

Chrome Shines, Gore Opines, Staffs Decline

Two Approaches to NFC Battle for French Hearts and Mobiles

FCC: Internet Program for Deaf Cheated Out of Millions

Cyberattacks on U.S. Military Jump Sharply in 2009

Cisco's Free IPhone App Grabs Security Feeds

EU Security Agency Highlights Cloud Computing Risks

Cyberattacks on U.S. Military Jump Sharply in 2009

Mobile Security ABCs

Get up to speed on mobile security.

Learn More »

Security Newsletter

Recent Articles

Top 10 Enterprise Risk Management Myths

Innovation in enterprise application design

Enterprise Application Integration: This Could Be the Start of Something Small

Security MarketSpace

Practical Approaches for Securing Web Applications

Enterprises understand the importance of securing web applications to protect critical corporate and customer data. What many don't understand, is how to implement a robust process for integrating security and risk management throughout the web application software development lifecycle. Learn more »

Smart techniques for application security: whitebox + blackbox security testing.

An Executive's Guide to Web Application Security

Since so many Web sites contain vulnerabilities, hackers can leverage a relatively simple exploit to gain access to a wealth of sensitive information, such as credit card data, social security numbers and health records. It's more important than ever to examine your Web application security, assess your vulnerability and take action to protect your business. Learn more »

Web Application Vulnerabilities

Security managers may work for midsize or large organizations; they may operate from anywhere on the globe. But inevitably, they share a common goal: to better manage the risks associated with their business infrastructure. Increasingly, Web application security plays a significant role in achieving that goal. Learn more »

Lower the Cost and Complexity of a Mobile Workforce through Automation

Lower the Cost and Complexity of a Mobile Workforce Learn more »

Retooling IT for a Mobile Workforce

Check out this research note from IDC for guidance. Learn more »

Today's Risky Data Environment

This paper explains how an IT and security service provider can provide a practical, manageable and reliable solution. Learn more »

Business Continuity - Are You Always Open for Business?

This Oracle business brief explains how mid-sized can improve performance by creating an IT infrastructure that makes working faster, easier and more effective. Learn more »

WHITE PAPERS

Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle

Managing a growing threat: An Executive's Guide to Web Application Security

Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities

IDC Q&A: The Mobile Workforce

Managed Security for a Not-So-Secure World

Oracle Business Brief - Business Continuity - Are You Always Open for Business?

The Forrester Wave™: Web Filtering, Q2 2009

The Forrester Wave™: Email Filtering, Q2 2009

VIP Access for Mobile: Making Consumer Two-Factor Authentication Simple and Cost-Effective

Authentication as a Service by Forrester Research

Mining the Cloud to Ease the Enterprise Compliance Burden