Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

“Dirty Dozen” List of Top Desktop Applications with Security Vulnerabilities

Report Lists Top Applications With Security Vulnerabilities But Doesn’t Provide a True Representation of Which are Really The Most Dangerous

A report released this week serves a wake-up call to users and companies, and shows the need to start paying more attention to what software is on (and what versions!) computers and other devices such as smartphones and removable storage devices.

Report Lists Top Applications With Security Vulnerabilities But Doesn’t Provide a True Representation of Which are Really The Most Dangerous

A report released this week serves a wake-up call to users and companies, and shows the need to start paying more attention to what software is on (and what versions!) computers and other devices such as smartphones and removable storage devices.

Bit9, Inc. today unveiled its fourth annual “Top Vulnerable Applications” report which lists top applications with reported security vulnerabilities. It’s important to note that reports like this often don’t tell the full story, or paint a true and accurate portrait of the state of security with regard to applications. There are many factors that need to be considered and factored in to truly say which applications may be more dangerous than others, and the Bit9 report doesn’t seem to account for many other than the raw numbers of vulnerabilities reported by the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database.

The report lists the most popular applications used by enterprises and consumers alike, and contradicts the common thought that Apple software is the most secure. Another important note is that in the list, the Safari Web browser is reported as the culprit and not Mac OS directly.

Bit9 Most Security Vulnerabilities

Google Chrome placed first on the list, followed by Apple Safari and Microsoft Office. Apple and Adobe are the most represented companies with three applications each making this year’s list. Adobe recently announced that its Acrobat Reader X (to be released this month) will have a “protected mode” in order to add an extra level of protection.

The “2010 Top Vulnerable Applications” report serves as a warning to enterprises about the risks of employees downloading unauthorized software and affirms the importance of staying current with software updates.

The list ranks applications by the number of reported “high severity” vulnerabilities that impacted end users during 2010, and includes the following:

Applications with Most Vulnerabilities

Advertisement. Scroll to continue reading.

1. Google Chrome (76 reported vulnerabilities)

2. Apple Safari (60)

3. Microsoft Office (57)

4. Adobe Reader and Acrobat (54)

5. Mozilla Firefox (51)

6. Sun Java Development Kit (36)

7. Adobe Shockwave Player (35)

8. Microsoft Internet Explorer (32)

9. RealNetworks RealPlayer (14)

10. Apple WebKit (9)

11. Adobe Flash Player (8)

12. Apple QuickTime (6) and Opera (6) – TIE

“The reality is every enterprise, including our own, is likely using at least one of the applications, and unpatched vulnerabilities are often used as the access point for the targeted enterprise attacks making headlines these days,” said Harry Sverdlove, CTO of Bit9. “Our new report reveals the most popular applications often have the most vulnerabilities that criminals can exploit, and serves as a wake-up call to enterprise IT teams to be vigilant about proactively protecting their endpoints and keeping all applications updated.”

In most cases, vendors on the list have issued patches to repair identified vulnerabilities. The enterprise is still at risk because the end user is often responsible for implementing the patch. Enterprise IT teams must monitor their endpoints to ensure patches have been properly applied. Enterprises and government agencies that do not have application controls in place are not able to protect against the zero-day attacks in which no patches or fixes exist.

The list of Top Vulnerable Applications was created for IT professionals who mange computers within organizations. The applications on the list were pulled from the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database and meet the following criteria:

• Is an end-user/consumer application and not an enterprise-only application like a server or router.

• Is not classified as malicious by enterprise IT organizations or security vendors

• Contains at least one critical vulnerability that was:

◦ Reported between January 1, 2010 through October 21, 2010

◦ Registered in the NIST database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS)

High-profile security breaches in both public and private sectors this year have increased the need to better monitor, protect and control applications and endpoints. With this report, IT managers can better understand the prevalence of application vulnerabilities, and learn how to take the necessary steps to proactively protect their endpoints and networks with new advanced threat protection technologies.

The full report is available here (registration required)

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.