The 'Dirty Dozen' Popular Applications With Vulnerabilities

By: Absolute Team | 12/19/2008

Bit9 released its annual ranking of popular consumer applications with known security vulnerabilities. The list reveals ‘The Dirty Dozen’ - the most-used applications on Windows that are the most vulnerable to security flaws that could compromise systems and/or private data.

All of the programs considered a security risk in this listing are Windows-based, well-known, and not classified as malicious by IT organizations. However, these programs will have at least one critical vulnerability identified in 2008 or registered with a high security rating. These programs will also rely on end-users to upgrade software, not having the ability to run on centralized enterprise update tools.

In addition to requiring end-users to take responsibility for security updates, the list includes programs that often run outside control or knowledge of IT, resulting in compliance issues and breaches that could lead to heavy fines and losses. However, the list is a little biased, since it is not clear if they are more or less secure than the applications that can be centrally updated. For example, Internet Explorer can be centrally updated, but it is not necessarily more secure than Firefox, which tops the list of the 'Dirty Dozen'.

The 'Dirty Dozen', as ordered by number of vulnerabilities, are as follows:

  1. Mozilla Firefox 3.x, 2.x
  2. Adobe Flash & Acrobat Flash: 10.0- and 9.0- Acrobat: 8.1.2, 8.1.1
  3. EMC VMware Player, Workstation and other products ESXi 3.5 or earlier Workstation 5.5.x Player 2.0.x & 1.0.x ACE 2.0.x & 1.0.x
  4. Sun Java Runtime Environment (JRE) Version 6 Update 6
  5. Apple Quicktime, Safari & iTunes Quicktime: 7.5.5 Safari: iTunes: 3.2, 3.1.2
  6. Symantec Norton products
  7. Trend Micro OfficeScan 8.0 SP1 before build 2439 8.0 SP1 Patch 1 before build 3087
  8. Citrix Deterministic Network Enhancer (DNE), Access Gateway, Presentation Server DNE Access Gateway 4.5.7 Presentation Server 4.5
  9. Aurigma Image Uploader, Lycos FileUploader,,
  10. Skype
  11. Yahoo! Assistant 3.6
  12. Microsoft Window Live Messenger 4.7 & 5.1

There has been considerable evidence that requiring end users to make security decisions has led to security incidents, due to lack of knowledge and/or understanding, so in the enterprise setting a centralized approach to IT asset management has often been the norm. The problem with this approach is incorporating the applications that users want and need and figuring out how to manage those appropriately.

Download the report here.

Via Internet News

Financial Services