The software vulnerabilities listed in Bit9's so-called 'Dirty Dozen' don't \n\nswoop in wearing a mask and brandishing a gun. They come in surreptitiously hidden in the coattails of popular applications. \n\nThese applications aren't malicious in nature, but if managed improperly by the end-user, they become open doors for hackers \n\nand malware to penetrate computer and networks that are otherwise secure. How many times do you boot up your computer, \n\nreceive a patch-update request, but close it because you're in a hurry? Or worse, click the option that says "do not ask me \n\nagain." Users who don't take the time to install these patches have a big open-door sitting on their desktop. Enterprise Risks RevealedTo highlight the risk enterprises face from popular applications that remain unknown and unmanaged by the IT department, Bit9 announced the \n\n"2008 Most Popular Applications with Critical Security Vulnerabilities"\u2014an annual list and research report based on \n\npublic research from the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database. What has been a 'Top 10' list in previous years, the 2008 edition was bolstered to become "The Dirty Dozen." This increase \n\nto 12 applications is due in large part to the increased number of non-secure consumer applications, and the widespread \n\nadoption of these highly popular programs, such as Skype and Yahoo! Assistant. The list and accompanying research report are designed to raise awareness. These applications often run outside of the IT department's knowledge and control, \n\ncreating serious security risks for enterprises. Each of these vulnerable applications contains doors into the enterprise \n\nthat can be used by malicious hackers. IT departments need a way to shut these doors\u2014centrally and \n\nautomatically\u2014without relying on their end users. IT also needs a way to address the lack of visibility into what \n\napplications are being downloaded and run on their employee's computers and also a way to control the execution of software \n\nthat is not authorized by company policy. Of the 12 applications identified, here are five that you almost certainly know. Again, these applications were selected \n\nfor being widely-used (there are over 500 million downloads of Firefox), and then ranked based on the number of specific \n\nvulnerabilities they contained\u2014and these vulnerabilities had to be rated "high", between 7.0\u201410.0, on the Common \n\nVulnerability Scoring System (CVSS). Firefox had 40 high CVSS vulnerabilities, making them number-one on the list. Some others are listed below are in no \n\nparticular order. \nMozilla Firefox, versions 2.x and 3.x\nAdobe Acrobat, versions 8.1.2 and 8.1.1\nMicrosoft Windows Live (MSN) Messenger, versions 4.7 and 5.1\nApple iTunes, versions 3.2 and 3.1.2\nSkype, version 184.108.40.206Note that in most cases, the vendors of these applications have issued patches or other instructions for eliminating the vulnerability. But the user is responsible for implementing the patch. \n\nEnterprise IT organizations cannot reliably ensure these patches have been properly applied\u2014if at \n\nall\u2014representing an inherent exposure in protecting the enterprise network. The entire list of vulnerable applications can be downloaded. What Can Be Done? Define a control policy for applications. \nAnswer questions such as: What applications will we authorize users to install on their own? If vulnerability is found, what \n\nis the proper recourse? \n\nUnderstand where the applications are. \nAn unknown vulnerability could jeopardize sensitive data\u2014and your company's reputation\u2014if a laptop connects to a \n\npublic Wi-Fi spot. \n\nMonitor the Internet for new vulnerabilities. \nExcellent resources are available at sites such the National Vulnerability Database (http:\/\/nvd.nist.gov), the SANS Institute \n\n(http:\/\/www.sans.org). \n\nMonitor your PCs using software identification services. \nServices such as the free FileAdvisor (http:\/\/fileadvisor.bit9.com) let you look up any file and identify its product, \n\npublisher, security rating, and more. \n\nEnforce application controls using application white listing solutions. Anything not on the white list won't \n\nexecute\u2014whether it's a targeted attack, one of these vulnerable applications or a malicious payload. \n\n\n\nThe List Criteria\nEach application on the list has the following characteristics:\nRuns on Microsoft Windows. \nIs well-known in the consumer space and frequently downloaded by individuals. \nIs not classified as malicious by enterprise IT organizations or security vendors. \nContains at least one critical vulnerability that was:\nfirst reported in June 2006 or after\nregistered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at \n\nhttp:\/\/nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System \n\n(CVSS). \nRelies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate \n\nthe vulnerability, if such a patch exists. \nThe application cannot be automatically and centrally updated via enterprise tools such as Microsoft SMS & \n\nWSUS.\n\nHarry Sverdlove is chief technology officer for Bit9, Inc., a provider of enterprise application whitelisting \n\nsolutions.