Firefox tops list of 12 most vulnerable apps

[primexx]

like previously said, the list is bull**** because they're reporting FIXED vulnerabilities...aka NOT-vulnerabilities.

[ichi]

Did you guys EVEN bother to read the .PDF file? I will take that as a NO.

The applications on this list meet the following criteria.

1)Runs on Microsoft Windows.

2)Is well-known in the consumer space and frequently downloaded by individuals.

3)Is not classified as malicious by enterprise IT organizations or security vendors.

4)Contains at least one critical vulnerability that was:

a. first reported in January 2008 or after,

b. registered in the U.S.National Institute of Standards and Technology?s (NIST) official vulnerability database at http://nvd.nist.gov,and

c. given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).

5)Relies on the end user,rather than a central administrator,to manually patch or upgrade the software to eliminate the vulnerabilitif such a patch exists.b>

6)The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.Note that in most cases,the vendors of these applications have issued patches or other instructions for eliminating the vulnerability. But the nature of these applications is such that the user is responsible for implementing the patch.Enterprise IT organizations can not reliably ensure these patches have been properly applied?if at all representing an inherent exposure in protecting the enterprise network.

Finally,the applications on the list have been ranked according to the popularity of the application,number and severity of vulnerabilities, and difficulty of detection and/or patching by central IT.

3) Monitor the Internet for new vulnerabilities.

4) Monitor your PCs using soft- ware identification services.

5) Enforce application controls using Bit9 Parity.

So apparently as long as an app can be patched through WSUS it's automatically not vulnerable enough for that list, no matter if actual patches exist or not?

Way to :rolleyes:yes:

Also I'd think you should be able deploy new firefox versions through SMS.

[tunafish]

You are not getting the point of this post.

The point of this post is to highlight programs that are commonly used BUT can't be updated via a central updating deployment server on a network.

Picture this, your an IT tech for a big company. Department A says i need my web developers to have access to an installation of firefox and flash player, right so ofcourse as this is a corp network the computers would in theory be locked down preventing users from installing software etc.

So IT tech comes over and has to install them via an admin account etc.

The problem is now, these programs have been installed yet the specific user might not have access permissions to install updates etc. As the system admin has no central way to deploy updates for these programs.

This is why this report was created, to highlight the fact corp networks might have these programs installed and they have HAD some serious security holes in them and CAN'T be updated as easy as other programs that can be deployed via WSUS etc.

This is why where i work we generally don't allow users to install software onto our network because we can't deploy updates for it etc.

A work around might be to make a package of said program using ghost but then you need an MSI installer and some programs don't play nice with packages etc. Then you have no idea if the package installed or the software is updated unless you go to said computer.

[ichi]

The point of this post is to highlight programs that are commonly used BUT can't be updated via a central updating deployment server on a network.

But the thing is firefox updates can be actually pushed through SMS.

[HawkMan]

like previously said, the list is bull**** because they're reporting FIXED vulnerabilities...aka NOT-vulnerabilities.

The thing is a patch exists before it's fixed. and if a hacker uses it for himself for doing "small" personal haks or rojans, rather than spreading a huge mass attack, then it may very well have existed and bee exploited for months or even years before it's found and fixed.

what exactly do you think it worst for a corporation, a mass attack of a virus,worm or trojan that is easilydetected and stopped in the firewall and isn't even designed to specofically damage them or steal info from them. or a Long hacker using an unknown security flaw to specifically target them and steal corporate information or destroy information...

[ichi]

The thing is a patch exists before it's fixed. and if a hacker uses it for himself for doing "small" personal haks or rojans, rather than spreading a huge mass attack, then it may very well have existed and bee exploited for months or even years before it's found and fixed.

what exactly do you think it worst for a corporation, a mass attack of a virus,worm or trojan that is easilydetected and stopped in the firewall and isn't even designed to specofically damage them or steal info from them. or a Long hacker using an unknown security flaw to specifically target them and steal corporate information or destroy information...

Still they should be counting vulnerabilities with relative weight depending on their severity, released patches and time it took to patch them.

A fixed vulnerability will always be worse than no vulnerabilities at all, but that's hardly the whole story. Counting the number of fixed vulnerabilities proves nothing (at least nothing of whatever the study is pretending to prove).

[The_Decryptor Veteran]

But the thing is firefox updates can be actually pushed through SMS.

And so can Acrobat Reader patches actually, yet it's on the list.

[kazuyette]

So what's left? Safari or Google Chrome? :unsure:

No ! Real dudes browse teh Interwebs with Lynx ! :D :D

[thealexweb]

Mmmmm.....They seem to have forgotten Internet Explorer. IE is worst than Mozilla. Also. seems to me every major browser, except Opera, has an issue. You don't want viruses executed on Mozilla? Install the NoScript add-on. As simple as that. And if you are still doubtful, disable Javascript entirely and stay away from Warez and porn sites!

Opera doesn't have many problem because of the simple fact that no body uses it! In recent years Firefox has eroded it user base.

[ichi]

And so can Acrobat Reader patches actually, yet it's on the list.

Yes, I just mentioned firefox because it's the top item on the list.

No ! Real dudes browse teh Interwebs with Lynx !

Na, lynx is for pussies. Real men browse with wget and vi :laugh:

[Beastage]

One small problem. Obama is a Mac user. :laugh:

But does he use OSX :p

Guy got a pacman eating the apple...

[Farstrider]

You are not getting the point of this post............................................................................................................[snip]

The only person who actually read the entire thing in the first place!

Bwahahaha to all the fan boys! My God you people are hysterical! I actually want to **** myself at the reactions because they are so predictable!!

Nothing, but nothing is worse than a kneejerk reaction to something that actually means a big fat zero in the big scheme of things!!

[ichi]

something that actually means a big fat zero

And that was the actual point of most replies here ;) (discusing is more fun than just going "meh", even if it's about as useless).

[The_Decryptor Veteran]

The only person who actually read the entire thing in the first place!

Bwahahaha to all the fan boys! My God you people are hysterical! I actually want to **** myself at the reactions because they are so predictable!!

Nothing, but nothing is worse than a kneejerk reaction to something that actually means a big fat zero in the big scheme of things!!

Good to see that you read the thread.

[Farstrider]

Good to see that you read the thread.

Yes, the entire thread and the PDF that I downloaded was a pretty good read I must say!!

[ichi]

and the PDF

Even the part where it says that ranked software cannot be updated through SMS?

[MrChainsaw]

I bet you people that wrote that article use FF anyway.

[Brian M. Veteran]

Guys, can we keep this on topic please.

[The Canadian]

Why post something like this? Go get the facts and come back and prove the article is wrong. You can do that right? Why would they include messenger, but not IE?

I know no one will even bother replying to my post, but thats fine, because I know you wont be able to provide the facts for what you claim, and by not responding just proves me right.

Do you even understand the concept of humour, by your answer I know you cannot take a joke...your life must suck for being serious all the time!

[Andrew Lyle Global Moderator]

also posted on the front page awhile ago :p

https://www.neowin.net/news/main/08/12/16/f...ws-applications

[BlackSteyrAug]

I wonder how much someone paid to get firefox on there :p

[Brandon Live Veteran]

like previously said, the list is bull**** because they're reporting FIXED vulnerabilities...aka NOT-vulnerabilities.

Read the damn report. It's immensely useful.

Those fixed vulnerabilities aren't fixed for people who haven't installed the patches or updates. The whole point of the report was to cover software that users install on their corporate machines, but which aren't centrally managed. It IS a useful report if you're an IT admin who is responsible for securing machines.

A fixed vulnerability will always be worse than no vulnerabilities at all, but that's hardly the whole story. Counting the number of fixed vulnerabilities proves nothing (at least nothing of whatever the study is pretending to prove).

Actually it proves exactly what the report is trying to prove. If you read and understood its goal then you wouldn't make ignorant statements like this.

It isn't trying to say specifically that any or all of these applications are *bad* or that their developers are doing a poor job. It's not a shame list exactly, it's a notice for IT admins to be wary of these applications when their users install them. It's a heads-up to audit which of these applications are installed and to address making sure they are up to date with the necessary fixes.

[ichi]

Actually it proves exactly what the report is trying to prove. If you read and understood its goal then you wouldn't make ignorant statements like this.

It isn't trying to say specifically that any or all of these applications are *bad* or that their developers are doing a poor job. It's not a shame list exactly, it's a notice for IT admins to be wary of these applications when their users install them. It's a heads-up to audit which of these applications are installed and to address making sure they are up to date with the necessary fixes.

Except that at least some of the listed apps can be updated through SMS, which was one of their own conditions to exclude other apps.

Released vulnerabilities alone is not an adequated metric to rate applications, more so when you actually can centraly update all your apps.