Firefox tops list of 12 most vulnerable apps

[Ironman273]

Firefox tops list of 12 most vulnerable apps

Posted by Ryan Naraine @ 10:41 am

Mozilla?s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here?s Bit9?s dirty dozen:

1. full report (.pdf) for information on how the list was put together, including criteria for iSource:

ZDNet4"]ZDNet[/url]

[Brandon]

ive had no problems

[thealexweb]

It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

[inactive]

i aint to worried about using Firefox since they typically patch flaws quickly.

[Scorbing]

It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

Mmmmm.....They seem to have forgotten Internet Explorer. IE is worst than Mozilla. Also. seems to me every major browser, except Opera, has an issue. You don't want viruses executed on Mozilla? Install the NoScript add-on. As simple as that. And if you are still doubtful, disable Javascript entirely and stay away from Warez and porn sites!

[Nicholas-c Veteran]

I think its more "The people trying to get your credit card have the source code of the program you are using" more than its holey and filled with security problems

[Denholm]

So what's left? Safari or Google Chrome? :unsure:

[Scorbing]

So what's left? Safari or Google Chrome? :unsure:

Safari and Chrome both use the same Webkit engine so they will both have the same security issues.

[-T- Member]

So what's left? Safari or Google Chrome? :unsure:

Ummm Opera?

It's free, fast and awesome :D

[The Canadian]

Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

[The_Decryptor Veteran]

What ordering system are they using, because their second most vulnerable item has more vulnerabilities than Firefox does.

[Blindlabel013]

Ummm Opera?

It's free, fast and awesome :D

[DigitalE]

Well, I use 1, 2, 3, 4, 5, and 10. I must be very vulnerable.

[Ci7]

hahhaha

[I am Reid]

Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

Why post something like this? Go get the facts and come back and prove the article is wrong. You can do that right? Why would they include messenger, but not IE?

I know no one will even bother replying to my post, but thats fine, because I know you wont be able to provide the facts for what you claim, and by not responding just proves me right.

[arrrgh]

This kind of comparison is completely invalid for one simple reason: Different vendors have different disclosure practices. Since I'm most familiar with Mozilla and Firefox I use them as an example, Mozilla does full disclosure on all their security issues, IE/Opera/Safari only reveal security issues that were found by 3rd party researchers. Since over half of all Firefox security issues are found by in-house staff, it's logical to assume that other vendors find even more of their security issues (especially the ones that are closed source). Hence this kinda of comparison favors heavily vendors that have poor security policies.

[Denholm]

One small problem. Obama is a Mac user. :laugh:

[megamanXplosion]

Opera runs on Mac.

[Ci7]

pacman eating big apple bit

that brilliant :laugh: :D

[-Hiroshi-]

pacman eating big apple bit

that brilliant :laugh: :D

LOL! At least he's got a sense of humor.

[The_Decryptor Veteran]

According to Secunia, in 2008 the browsers had...

• Firefox 3: 8
  
• Firefox 2: 10
  
• IE6: 13
  
• IE7: 11
  

I wonder what source Bit9 uses, and what sorting they use (Putting Firefox first seems arbitrary)

[DanManIt]

^

Exactly, doesn't make sense

[tunafish]

Did you guys EVEN bother to read the .PDF file? I will take that as a NO.

The applications on this list meet the following criteria.

1)Runs on Microsoft Windows.

2)Is well-known in the consumer space and frequently downloaded by individuals.

3)Is not classified as malicious by enterprise IT organizations or security vendors.

4)Contains at least one critical vulnerability that was:

a. first reported in January 2008 or after,

b. registered in the U.S.National Institute of Standards and Technology?s (NIST) official vulnerability database at http://nvd.nist.gov,and

c. given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).

5)Relies on the end user,rather than a central administrator,to manually patch or upgrade the software to eliminate the vulnerability,if such a patch exists.

6)The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.Note that in most cases,the vendors of these applications have issued patches or other instructions for eliminating the vulnerability. But the nature of these applications is such that the user is responsible for implementing the patch.Enterprise IT organizations can not reliably ensure these patches have been properly applied?if at all representing an inherent exposure in protecting the enterprise network.

Finally,the applications on the list have been ranked according to the popularity of the application,number and severity of vulnerabilities, and difficulty of detection and/or patching by central IT.

3) Monitor the Internet for new vulnerabilities.

4) Monitor your PCs using soft- ware identification services.

5) Enforce application controls using Bit9 Parity.

[The_Decryptor Veteran]

So IE's excluded because it's built into Windows, and so can be updated via WSUS?

[tunafish]

Yes, the point of this report was to highlight applications that had security holes and are commonly used BUT cant be easy updated in a corp network