Statistics from Bit9 serve as a reminder of the importance of keeping application patches up-to-date in the enterprise.
Applications vulnerabilities are the honey bringing attackers out of their
According to an analysis by Bit9, released Dec. 16, this year's list
of applications with the most serious vulnerabilities had Adobe
Reader, Acrobat, Flash Player and Shockwave at the top. For IT administrators,
the findings are a reminder of the importance
of keeping track of vulnerable endpoints.
"Operating systems have been a focus point of security research over
the last 10 years and have improved significantly," said Wolfgang Kandek, CTO
of Qualys. "The importance of keeping systems up-to-date is clear to most
IT administrators. Applications have not followed the same pattern and are
now a simpler target for attackers, which are opportunistic in their behavior."
As a whole, the NIST (National Institute of Standards and Technology)
database shows vulnerabilities
in Adobe Systems applications
jumped from 66 in 2008 to 99 in 2009, noted
Kate Munro, director of product marketing at Bit9. More than 70 of this year's
Adobe vulnerabilities were rated "high," she added.
In many cases, the responsibility of deploying patches falls on
of users and IT administrators.
In the workplace, administrators
need to know programs are on their networks' computers in order to exercise
control, Munro said.
"To achieve this, they need to do a live inventory of all the software
on their endpoints," she said. "This establishes a baseline. From
there they can create an application
that defines what is acceptable, safe and approved to run
for the company. It can be a policy or 'whitelist' for individuals or for group
of users at their company."
Administrators should focus on applications in this order: Adobe Reader,
Adobe Flash, Microsoft Office, Sun Java and Apple QuickTime, Kandek opined.
"Attackers have realized that the installed base of Adobe software
(Reader and Flash) is very big, potentially bigger than the Windows installed
base ... Adobe's new structured process is helpful, but we still need to deal
with the old installed and outdated software base that will not get updated
without major work. [A] Firefox plug-in checker is a good first step, but we
will need more cooperation between OS vendors and application providers,"