According to application white-listing vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.
The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here’s Bit9’s dirty dozen:
- Mozilla Firefox: In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
- Adobe Flash and Adobe Acrobat: Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issues� and malformed parameters.
- EMC VMware Player,Workstation and other products: A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.
- Sun Java JDK and JRE, Sun Java Runtime Environment (JRE):
Inability to prevent execution of applets on older JRE release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications. 10 patched vulnerabilities listed. - Apple QuickTime, Safari and iTunes: In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs. The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and denial of service involving JavaScript arrays that trigger memory corruption. Apple’s iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.
- Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.
- Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for remote attackers to execute arbitrary code.
- Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.
- Aurigma Image Uploader, Lycos FileUploader: Remote attackers can perform remote code execution via long extended image information.
- Skype: Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.
- Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.
- Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, “change state,� obtain contact information and establish audio or video connections without notification.
See Bit9’s full report (.pdf) for information on how the list was put together, including criteria for inclusion.
Dec 16, 2008 at 6:28 PM Not really a valid title, Russ! The point of the "whitepaper" is that Firefox is the *most widely deployed* application that has vulnerabilities meeting their criteria, not that it's the "most vulnerable windows app."
The whole thing was really a marketing schpeal for their services, listing the most widely deployed applications that have at least one vulnerability that meets a really weak set of criteria.
Dec 16, 2008 at 8:21 PM I can't say that I agree with that, Joe. Surely Flash Player has penetrated much more of the market than Firefox (see http://www.adobe.com/products/player_census/flashplayer/PC.html for Adobe's numbers). I'm not against FF in any way but I think the numbers speak for themself.
Dec 16, 2008 at 8:32 PM OK. I agree the numbers sound off. I would imagine that Flash Player is on more PCs than FF. But Joe's point wasn't the numbers. I believe he was saying the title of this post is misleading. FF is reportedly the most widely deployed app with vulnerabilities. NOT the "most vulnerable Windows app." And I assume that's 3rd party apps. I doubt IE is considered a "deployed" app. So I agree, Steve, Flash should be first.
Dec 16, 2008 at 8:51 PM Title changed to appease the crowd.
Dec 17, 2008 at 3:11 PM Heh, if we're gonna get nitpicky about it, the new title doesn't help the issue at all. "Firefox the most widely deployed Windows application with vulnerabilities" would be accurate....
@Steve - I agree with you. FP installs are much more widespread than Firefox.
I wouldn't be surprised if outdated IE installs even outnumber Firefox installs - a much bigger security issue!
Dec 17, 2008 at 5:15 PM If memory serves, the list even includes Windows Messenger, which, despite being an optional install in Vista, is installed at least on all XP machines, and I could be wrong, but I think it was around in the Win 98 / ME (shudder @ ME) stages. I think all in all, I have to agree that this whitepaper is hype towards its creators, but nevertheless, should keep us aware that there are vulnerabilities in almost everything these days.
Dec 27, 2008 at 6:14 PM I agree with Joe, the title and content make not sense it's just a me me me posting,
The original is here: http://www.bit9.com/news-events/press-release-details.php?id=102 entitled: Threats in Plain Sight: Bit9 Identifies ‘The Dirty Dozen’ - 2008’s Most Popular Applications with Critical Security Vulnerabilities
No pin pointing of an Application in the title, just a list of the Popular applications with security issues.
Dec 28, 2008 at 10:09 PM As this post and in fact my blog is aimed primarily at developers and not "general windows users", this is why I specifically mention FireFox, as this is considered a developer tool these days as well as a browser. Of course those of you that do not use FireFox may not have known this. But as for the list for applications and the Bit9 report, they are not written by me, I am simply the messenger, so I really do not understand Kevin's pointless dig that it is all about me?