Top popular applications with critical security vulnerabilities

Bit9 released its annual list of the top popular applications with known vulnerabilities. Often running outside of IT’s knowledge or control, these popular applications can be difficult to detect and remove. The list, published as a research brief entitled “2007’s Popular Applications with Critical Vulnerabilities” was designed to help IT departments regain control over their desktop environments.

Each application on the list has the following characteristics:

1) Runs on Microsoft Windows.
2) Is well-known in the consumer space and frequently downloaded by individuals.
3) Is not classified as malicious by enterprise IT organizations or security vendors.
4) Contains at least one critical vulnerability:
 
a. first reported in June 2006 or after,
b. registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database and
c. with a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).

5) Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

The first five of the top ten applications with known vulnerabilities include:

1. Yahoo Messenger 8.1.0.239 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 2.0.0.6
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4

Brian Gladstein, author of the research brief commented:

These popular applications are frequently downloaded to corporate desktops by users and can present unnecessary security risk to IT and business operations,” said “The good news is that there are several steps that IT departments can take to shield themselves and fix these vulnerabilities in the application layer.