Sign in to follow this  
Followers 0
Ironman273

Firefox tops list of 12 most vulnerable apps

48 posts in this topic

Firefox tops list of 12 most vulnerable apps

Posted by Ryan Naraine @ 10:41 am

Mozilla?s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here?s Bit9?s dirty dozen:

  1. full report (.pdf) for information on how the list was put together, including criteria for iSource:
ZDNet4"]ZDNet[/url]

Share this post


Link to post
Share on other sites

ive had no problems

Share this post


Link to post
Share on other sites

It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

Share this post


Link to post
Share on other sites

i aint to worried about using Firefox since they typically patch flaws quickly.

Share this post


Link to post
Share on other sites
It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

Mmmmm.....They seem to have forgotten Internet Explorer. IE is worst than Mozilla. Also. seems to me every major browser, except Opera, has an issue. You don't want viruses executed on Mozilla? Install the NoScript add-on. As simple as that. And if you are still doubtful, disable Javascript entirely and stay away from Warez and porn sites!

Share this post


Link to post
Share on other sites

I think its more "The people trying to get your credit card have the source code of the program you are using" more than its holey and filled with security problems

Share this post


Link to post
Share on other sites

So what's left? Safari or Google Chrome? :unsure:

Share this post


Link to post
Share on other sites
So what's left? Safari or Google Chrome? :unsure:

Safari and Chrome both use the same Webkit engine so they will both have the same security issues.

Share this post


Link to post
Share on other sites
So what's left? Safari or Google Chrome? :unsure:

Ummm Opera?

It's free, fast and awesome :D

Share this post


Link to post
Share on other sites

Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

Share this post


Link to post
Share on other sites

What ordering system are they using, because their second most vulnerable item has more vulnerabilities than Firefox does.

Share this post


Link to post
Share on other sites
Ummm Opera?

It's free, fast and awesome :D

w2djdd.jpg

Share this post


Link to post
Share on other sites

Well, I use 1, 2, 3, 4, 5, and 10. I must be very vulnerable.

Share this post


Link to post
Share on other sites

hahhaha

Share this post


Link to post
Share on other sites
Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

Why post something like this? Go get the facts and come back and prove the article is wrong. You can do that right? Why would they include messenger, but not IE?

I know no one will even bother replying to my post, but thats fine, because I know you wont be able to provide the facts for what you claim, and by not responding just proves me right.

Share this post


Link to post
Share on other sites

This kind of comparison is completely invalid for one simple reason: Different vendors have different disclosure practices. Since I'm most familiar with Mozilla and Firefox I use them as an example, Mozilla does full disclosure on all their security issues, IE/Opera/Safari only reveal security issues that were found by 3rd party researchers. Since over half of all Firefox security issues are found by in-house staff, it's logical to assume that other vendors find even more of their security issues (especially the ones that are closed source). Hence this kinda of comparison favors heavily vendors that have poor security policies.

Share this post


Link to post
Share on other sites

Opera runs on Mac.

Share this post


Link to post
Share on other sites

potus-macuser-big1-10.jpg

pacman eating big apple bit

that brilliant :laugh: :D

Share this post


Link to post
Share on other sites
potus-macuser-big1-10.jpg

pacman eating big apple bit

that brilliant :laugh: :D

LOL! At least he's got a sense of humor.

Share this post


Link to post
Share on other sites

According to Secunia, in 2008 the browsers had...

  • Firefox 3: 8
  • Firefox 2: 10
  • IE6: 13
  • IE7: 11

I wonder what source Bit9 uses, and what sorting they use (Putting Firefox first seems arbitrary)

Share this post


Link to post
Share on other sites

Did you guys EVEN bother to read the .PDF file? I will take that as a NO.

The applications on this list meet the following criteria.

1)Runs on Microsoft Windows.

2)Is well-known in the consumer space and frequently downloaded by individuals.

3)Is not classified as malicious by enterprise IT organizations or security vendors.

4)Contains at least one critical vulnerability that was:

a. first reported in January 2008 or after,

b. registered in the U.S.National Institute of Standards and Technology?s (NIST) official vulnerability database at http://nvd.nist.gov,and

c. given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).

5)Relies on the end user,rather than a central administrator,to manually patch or upgrade the software to eliminate the vulnerability,if such a patch exists.

6)The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.Note that in most cases,the vendors of these applications have issued patches or other instructions for eliminating the vulnerability. But the nature of these applications is such that the user is responsible for implementing the patch.Enterprise IT organizations can not reliably ensure these patches have been properly applied?if at all representing an inherent exposure in protecting the enterprise network.

Finally,the applications on the list have been ranked according to the popularity of the application,number and severity of vulnerabilities, and difficulty of detection and/or patching by central IT.

3) Monitor the Internet for new vulnerabilities.

4) Monitor your PCs using soft- ware identification services.

5) Enforce application controls using Bit9 Parity.

Share this post


Link to post
Share on other sites

So IE's excluded because it's built into Windows, and so can be updated via WSUS?

Share this post


Link to post
Share on other sites

Yes, the point of this report was to highlight applications that had security holes and are commonly used BUT cant be easy updated in a corp network

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.