12.16.2009 – Waltham, MA – Bit9, Inc., the pioneer and leader in Enterprise Application Whitelisting, today unveiled its annual report on the top popular consumer applications with known vulnerabilities.
The list, published in the research brief entitled, “Report: Top Vulnerable Applications for IT – 2009”, is created for IT professionals who are responsible for providing secure and well-managed computers while at the same time dealing with users who download software that is vulnerable to malicious attacks and is often not approved by company policy. The software on the list often runs outside of the IT department’s knowledge or control and can lead to data leakage risk and compliance breaches.
This year Adobe applications top the list with four applications identified in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database. Adobe Acrobat, Flash Player, Reader and Shockwave had vulnerabilities that were rated “High” including ones that allowed remote attackers to execute arbitrary code, trigger memory corruption, denial of services or application crashing.
Other vulnerable applications on the list include:
- Apple Quicktime
- Mozilla Firefox
- Sun Java
The applications on the list meet the following criteria:
- Runs on Microsoft Windows
- Is well-known in the consumer space and frequently downloaded by individuals
- Is not classified as malicious by enterprise IT organizations or security vendors
- Contains at least one critical vulnerability that was:
- First reported in January 2009 or after
- Registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS)
- Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists
- The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.
In most cases, vendors have issued patches for eliminating identified vulnerabilities, but the enterprise is still at risk because the end user is often responsible for implementing the patch. And this year there were some exceptions to this, with vendors taking up to a month to release patches after vulnerabilities were publicly disclosed. Enterprise IT organizations that are not monitoring their endpoints have no reliable way to ensure that these patches have been properly applied. Enterprises and government agencies that do not have application controls in place are not able to protect against the zero-day attacks in which no patches or fixes exist.
And while Microsoft Explorer does not fit the criteria, it received an “honorable mention” due to the public release of a zero day exploit targeting IE users in August. The vulnerability, which went un-patched for three weeks, demonstrates the importance of application control, automated patch management and professional vulnerability reporting. Combining security efforts and adopting a layered approach to IT risk management can greatly reduce the costs associated with data loss, malicious code and compliance breaches.
“These popular applications are frequently downloaded to laptops and desktops by users and can present unnecessary security risk to IT and business operations,” said Tom Murphy, chief strategy officer, Bit9. “We are seeing a growing number of applications within the enterprise creating security risk that can be prevented through better visibility across endpoints, a more centralized patch-management process, and application whitelisting to prevent the use of unauthorized and potentially malicious software.”
“As organizations improve their traditional network and endpoint security postures, cyber criminals are getting better at network and endpoint penetration, and have shown that vulnerabilities in any application can and will be exploited,” said Amrit Williams, CTO of BigFix. “With everyday applications creating risk in organizations, it is more important than ever to ensure automatic patch updates, comprehensive monitoring and proactive controls.”
High-profile security breaches in both public and private sectors this year have increased the need to better monitor, protect and control applications and endpoints. With this report, IT managers can better understand the prevalence of application vulnerabilities, and learn how to take the necessary steps to proactively protect their endpoints and networks with new technologies such as application whitelisting. To read the full research report and Bit9’s five step approach to fixing these vulnerabilities, please view Bit9’s report here. Resources are available at sites such as the National Vulnerability Database (http://nvd.nist.gov) and the SANS Institute (www.sans.org). To view a copy of the release, please click here.
About Bit9, Inc.
Bit9 is the pioneer and leader in Enterprise Application Whitelisting. The company’s solutions provide total visibility and control over all software on Windows computers, eliminating the risk caused by malicious, illegal and unauthorized software.
Bit9 leverages the Bit9 Global Software Registry™ – the world’s largest database of software intelligence – to identify and classify software, delivering the highest levels of endpoint security, compliance, and manageability. Bit9’s global customers include companies in a wide variety of industries, such as government, financial services, retail, healthcare, e-commerce and education.
Bit9 was awarded a prestigious $2M United States federal research grant in 2003 from the National Institute of Standards and Technology-Advanced Technology Program (NIST ATP) to conduct the research that is now at the core of our application whitelisting solutions. Bit9 is privately held and based in Waltham, Massachusetts. For more information, visit http://www.bit9.com or call +1 617.393.7400.