Firefox tops list of 12 most vulnerable apps


Recommended Posts

Firefox tops list of 12 most vulnerable apps

Posted by Ryan Naraine @ 10:41 am

Mozilla?s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here?s Bit9?s dirty dozen:

  1. full report (.pdf) for information on how the list was put together, including criteria for iSource:
ZDNet4"]ZDNet[/url]
Link to comment
Share on other sites

It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

Link to comment
Share on other sites

It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

Mmmmm.....They seem to have forgotten Internet Explorer. IE is worst than Mozilla. Also. seems to me every major browser, except Opera, has an issue. You don't want viruses executed on Mozilla? Install the NoScript add-on. As simple as that. And if you are still doubtful, disable Javascript entirely and stay away from Warez and porn sites!

Link to comment
Share on other sites

I think its more "The people trying to get your credit card have the source code of the program you are using" more than its holey and filled with security problems

Link to comment
Share on other sites

So what's left? Safari or Google Chrome? :unsure:

Safari and Chrome both use the same Webkit engine so they will both have the same security issues.

Link to comment
Share on other sites

So what's left? Safari or Google Chrome? :unsure:

Ummm Opera?

It's free, fast and awesome :D

Link to comment
Share on other sites

Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

Link to comment
Share on other sites

Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

Why post something like this? Go get the facts and come back and prove the article is wrong. You can do that right? Why would they include messenger, but not IE?

I know no one will even bother replying to my post, but thats fine, because I know you wont be able to provide the facts for what you claim, and by not responding just proves me right.

Link to comment
Share on other sites

This kind of comparison is completely invalid for one simple reason: Different vendors have different disclosure practices. Since I'm most familiar with Mozilla and Firefox I use them as an example, Mozilla does full disclosure on all their security issues, IE/Opera/Safari only reveal security issues that were found by 3rd party researchers. Since over half of all Firefox security issues are found by in-house staff, it's logical to assume that other vendors find even more of their security issues (especially the ones that are closed source). Hence this kinda of comparison favors heavily vendors that have poor security policies.

Link to comment
Share on other sites

According to Secunia, in 2008 the browsers had...

  • Firefox 3: 8
  • Firefox 2: 10
  • IE6: 13
  • IE7: 11

I wonder what source Bit9 uses, and what sorting they use (Putting Firefox first seems arbitrary)

Link to comment
Share on other sites

Did you guys EVEN bother to read the .PDF file? I will take that as a NO.

The applications on this list meet the following criteria.

1)Runs on Microsoft Windows.

2)Is well-known in the consumer space and frequently downloaded by individuals.

3)Is not classified as malicious by enterprise IT organizations or security vendors.

4)Contains at least one critical vulnerability that was:

a. first reported in January 2008 or after,

b. registered in the U.S.National Institute of Standards and Technology?s (NIST) official vulnerability database at http://nvd.nist.gov,and

c. given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).

5)Relies on the end user,rather than a central administrator,to manually patch or upgrade the software to eliminate the vulnerability,if such a patch exists.

6)The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.Note that in most cases,the vendors of these applications have issued patches or other instructions for eliminating the vulnerability. But the nature of these applications is such that the user is responsible for implementing the patch.Enterprise IT organizations can not reliably ensure these patches have been properly applied?if at all representing an inherent exposure in protecting the enterprise network.

Finally,the applications on the list have been ranked according to the popularity of the application,number and severity of vulnerabilities, and difficulty of detection and/or patching by central IT.

3) Monitor the Internet for new vulnerabilities.

4) Monitor your PCs using soft- ware identification services.

5) Enforce application controls using Bit9 Parity.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.