Archived

This topic is now archived and is closed to further replies.

Firefox tops list of 12 most vulnerable apps

Recommended Posts

Ironman273    1,095
Firefox tops list of 12 most vulnerable apps

Posted by Ryan Naraine @ 10:41 am

Mozilla?s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here?s Bit9?s dirty dozen:

  1. full report (.pdf) for information on how the list was put together, including criteria for iSource:
ZDNet4"]ZDNet[/url]

Share this post


Link to post
Share on other sites
Brandon    181

ive had no problems

Share this post


Link to post
Share on other sites
thealexweb    195

It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

Share this post


Link to post
Share on other sites
ThaCrip    199

i aint to worried about using Firefox since they typically patch flaws quickly.

Share this post


Link to post
Share on other sites
Scorbing    516
It's not the most vulnerable app, these are holes that have been closed, since it has no holes at the moment it is equally arguable that its the most secure app. Annoyed at post title, change to List of 12 most secured apps. Secured suggests work has been done to lock apps down to keep them secure.

Mmmmm.....They seem to have forgotten Internet Explorer. IE is worst than Mozilla. Also. seems to me every major browser, except Opera, has an issue. You don't want viruses executed on Mozilla? Install the NoScript add-on. As simple as that. And if you are still doubtful, disable Javascript entirely and stay away from Warez and porn sites!

Share this post


Link to post
Share on other sites
Nicholas-c    36

I think its more "The people trying to get your credit card have the source code of the program you are using" more than its holey and filled with security problems

Share this post


Link to post
Share on other sites
Denholm    2

So what's left? Safari or Google Chrome? :unsure:

Share this post


Link to post
Share on other sites
Scorbing    516
So what's left? Safari or Google Chrome? :unsure:

Safari and Chrome both use the same Webkit engine so they will both have the same security issues.

Share this post


Link to post
Share on other sites
-T-    615
So what's left? Safari or Google Chrome? :unsure:

Ummm Opera?

It's free, fast and awesome :D

Share this post


Link to post
Share on other sites
The Canadian    0

Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

Share this post


Link to post
Share on other sites
The_Decryptor    1,105

What ordering system are they using, because their second most vulnerable item has more vulnerabilities than Firefox does.

Share this post


Link to post
Share on other sites
Blindlabel013    2
Ummm Opera?

It's free, fast and awesome :D

w2djdd.jpg

Share this post


Link to post
Share on other sites
DigitalE    10

Well, I use 1, 2, 3, 4, 5, and 10. I must be very vulnerable.

Share this post


Link to post
Share on other sites
Ci7    187

hahhaha

Share this post


Link to post
Share on other sites
I am Reid    45
Microsoft: Bit9, come here.

Bit9: Microsoft, what do you want?

Microsoft: Well, we have some cash to give you.

Bit9: Why would you give us cash, what's the catch?!

Microsoft: When you bring out your list, please do not put IE on there, but say Mozilla's Firefox has lots of issues.

Bit9: Okay, we'll do it!

Why post something like this? Go get the facts and come back and prove the article is wrong. You can do that right? Why would they include messenger, but not IE?

I know no one will even bother replying to my post, but thats fine, because I know you wont be able to provide the facts for what you claim, and by not responding just proves me right.

Share this post


Link to post
Share on other sites
macel    72

This kind of comparison is completely invalid for one simple reason: Different vendors have different disclosure practices. Since I'm most familiar with Mozilla and Firefox I use them as an example, Mozilla does full disclosure on all their security issues, IE/Opera/Safari only reveal security issues that were found by 3rd party researchers. Since over half of all Firefox security issues are found by in-house staff, it's logical to assume that other vendors find even more of their security issues (especially the ones that are closed source). Hence this kinda of comparison favors heavily vendors that have poor security policies.

Share this post


Link to post
Share on other sites
Denholm    2
w2djdd.jpg

One small problem. Obama is a Mac user. :laugh:

Share this post


Link to post
Share on other sites
megamanXplosion    4

Opera runs on Mac.

Share this post


Link to post
Share on other sites
Ci7    187

potus-macuser-big1-10.jpg

pacman eating big apple bit

that brilliant :laugh: :D

Share this post


Link to post
Share on other sites
-Hiroshi-    0
potus-macuser-big1-10.jpg

pacman eating big apple bit

that brilliant :laugh: :D

LOL! At least he's got a sense of humor.

Share this post


Link to post
Share on other sites
The_Decryptor    1,105

According to Secunia, in 2008 the browsers had...

  • Firefox 3: 8
  • Firefox 2: 10
  • IE6: 13
  • IE7: 11

I wonder what source Bit9 uses, and what sorting they use (Putting Firefox first seems arbitrary)

Share this post


Link to post
Share on other sites
DanManIt    0

^

Exactly, doesn't make sense

Share this post


Link to post
Share on other sites
tunafish    7

Did you guys EVEN bother to read the .PDF file? I will take that as a NO.

The applications on this list meet the following criteria.

1)Runs on Microsoft Windows.

2)Is well-known in the consumer space and frequently downloaded by individuals.

3)Is not classified as malicious by enterprise IT organizations or security vendors.

4)Contains at least one critical vulnerability that was:

a. first reported in January 2008 or after,

b. registered in the U.S.National Institute of Standards and Technology?s (NIST) official vulnerability database at http://nvd.nist.gov,and

c. given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).

5)Relies on the end user,rather than a central administrator,to manually patch or upgrade the software to eliminate the vulnerability,if such a patch exists.

6)The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.Note that in most cases,the vendors of these applications have issued patches or other instructions for eliminating the vulnerability. But the nature of these applications is such that the user is responsible for implementing the patch.Enterprise IT organizations can not reliably ensure these patches have been properly applied?if at all representing an inherent exposure in protecting the enterprise network.

Finally,the applications on the list have been ranked according to the popularity of the application,number and severity of vulnerabilities, and difficulty of detection and/or patching by central IT.

3) Monitor the Internet for new vulnerabilities.

4) Monitor your PCs using soft- ware identification services.

5) Enforce application controls using Bit9 Parity.

Share this post


Link to post
Share on other sites
The_Decryptor    1,105

So IE's excluded because it's built into Windows, and so can be updated via WSUS?

Share this post


Link to post
Share on other sites
tunafish    7

Yes, the point of this report was to highlight applications that had security holes and are commonly used BUT cant be easy updated in a corp network

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.