The Dirty Dozen -- 2008's Most Popular Applications with Critical Security Vulnerabilities

Reputable programs are found vulnerable and security gaps are often left unaddressed.

by / December 17, 2008

Bit9 unveiled its annual ranking of popular consumer applications with known security vulnerabilities. Often running outside of the IT department's knowledge or control, these applications can be difficult to detect; they create data leakage risk in endpoints that are otherwise secure; and cause compliance breaches that can result in costly fines. The list, published in a research brief entitled "2008's Popular Applications with Critical Vulnerabilities," is designed to highlight the need for greater visibility and control over organizations' endpoints, including laptops, PCs, servers and Point-of-Sale systems.

The list this year expanded to include 12 applications, up from 10 last year, due to the increase in vulnerabilities and the popularity of applications such as Skype and Yahoo! Assistant that are often used by employees within an enterprise.

Five of the top 12 applications with known vulnerabilities include:

  • Mozilla Firefox, versions 2.x and 3.x
  • Adobe Acrobat, versions 8.1.2 and 8.1.1
  • Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1
  • Apple iTunes, versions 3.2 and 3.1.2
  • Skype, version

Each application on the list has the following characteristics:

  • Runs on Microsoft Windows.
  • Is well-known in the consumer space and frequently downloaded by individuals.
  • Is not classified as malicious by enterprise IT organizations or security vendors.
  • Contains at least one critical vulnerability that was first reported in January 2008 or after and is registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
  • Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
  • The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.

"Year after year, we see a growing number of applications within the enterprise creating security vulnerabilities that are easily prevented through better visibility across endpoints, and a more centralized patch-management process," said Harry Sverdlove, CTO, Bit9. "2008 has been no exception. This year, along with the widely reported huge increase in malware, the number of well-known applications causing security problems for companies has also increased. Our annual ranking now covers 12 applications, up from 10 last year.