Firefox, Opera, Safari browsers top list of high risk software

By Robert Westervelt, News Editor 16 Dec 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Mozilla Firefox, Apple Safari and Opera browser appear in an annual list documenting highly used, high risk software as a result of serious vulnerabilities discovered in the browsers this year.

The browsers appear on a list of 11 applications deemed a high risk to enterprises. Mozilla had 44 vulnerabilities reported in 2009, some of which could cause a denial of service (DoS) and enable attackers to gain access and control a victim's machine. By contrast, Apple Safari had six serious vulnerabilities reported, including flaws that enable man-in-the-middle attacks, remote code execution and denial-of-service attacks. Opera had only two vulnerabilities reported, but they were serious enough -- allowing remote code execution if the browser attempts to process a malicious JPEG image -- to warrant its standing on the list.

In addition to Firefox and Opera, Bit9's risky software list includes Adobe Systems's Flash and Macromedia players, Acrobat and Reader PDF software, Sun Java Runtime Environment, Apple's QuickTime, RealNetworks's RealPlayer and Cerulean Studios' Trillian instant messenger client.

"We're not listing out the worst offenders, but the top applications that we think people should be concerned about," said Tom Murphy, chief strategy officer at Bit9.

Security experts have been trying to turn attention onto end-user applications, which are commonly targeted by attackers to gain a foothold into enterprise systems. The SANS Institute released a report in September citing vulnerabilities in Web-facing end user applications as a major threat. The report used data from TippingPoint's intrusion prevention systems and Qualys Inc.'s vulnerability data to lay out the increasing threat posed by the poor patching of client-side applications. The report found that two attack vectors -- client-side vulnerabilities and Web application flaws -- are often coupled together.

All the applications on the Bit9 list run on Microsoft Windows, are well known in the consumer space and are frequently downloaded by individuals. The software must have contained at least one critical vulnerability listed in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database.

Murphy said the applications pose an additional risk to enterprises because they rely on the end user to manually patch or upgrade the software to eliminate a vulnerability. Microsoft's Internet Explorer browser does not make the list because it can be centrally updated by IT administrators using tools provided by Microsoft.

Despite the move by vendors to improve patching times through the deployment of more automated updates (Firefox and Java have such methods), they still rely on some end user interaction and keep IT out of the process, Murphy said. Other software makers, Google for example, use a silent auto update that pushes out patches even faster to users.

"There are a lot of self-updating applications but it's at the expense of the end user to make that happen," Murphy said. "We're targeting this list not so much at the end user but for IT so they know what applications are running in their environment that need to be patched and that they don't have full control over."

Other applications, which made the list in the past, are either being targeted less by attackers or are not the focus of security researchers. The popular VoIP application, Skype was dropped from the list in 2009 since no vulnerabilities were reported in the NIST database. Two antivirus vendors, Symantec's Norton Antivirus software and Trend Micro's OfficeScan product also didn't make the list this year.

"The list has been getting shorter as the applications are getting maintained a little better by the vendors and they're more mature as well," Murphy said.

Tags: Web Application Security,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary