They may be hiding beneath your bed or in the darkest corners of your business, but you know them when you smell them: applications so popular youd have to break users fingers to stop them from creeping into the network.
Without further ado, the list of the years Top 12 popular applications with critical vulnerabilities, according to a yearly ranking from Bit9, a vendor of application and device control technology:
1. Yahoo Messenger, 184.108.40.206 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 220.127.116.11
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition, 9 and earlier
8. Sun Java Runtime Environment (JRE) 1.6.0_X
9. Yahoo Widgets 4.0.5 and previous
10. Ask.com Toolbar 18.104.22.168 and previous
11. Broadcom wireless device driver as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter 22.214.171.124
12. Macrovision (formerly InstallShield) InstallFromTheWeb, unversioned
Bit9 drew from a variety of sources to develop the list, including the National Vulnerability Database, the SANS Institute and the U.S. Computer Emergency Readiness Team, and based it on a handful of other criteria, including the fact that patching these problem programs is left up to users (yes, thats why Internet Explorer doesnt show up).
Moreover, to make the list, an application must run on Microsoft Windows; be well-known to consumers and frequently downloaded by individuals; not be classified as malicious in and of itself by enterprise IT organizations or security vendors; contain at least one critical vulnerability that was first reported in June 2006 or after and registered in the National Institute of Standards and Technologys vulnerability database and given a severity rating of between 7.0 and 10.0 on the CVSS (Common Vulnerability Scoring System); and rely on the end user, as opposed to a central administrator, to manually patch or upgrade the software.
Brian Gladstein, director of product marketing for Bit9, said that these applications represent a species thats wild on the Internet and that people love to use, including IM clients, iTunes and QuickTime.
Thats a problem for IT. “In a corporate environment where compliance is so much more important nowadays, theres no way for central IT to know [such applications are] there and to do anything about them. It represents an unknown threat across the environment,” he said. “IT has no way of formally plugging these holes.”
Gladstein admits that it may well be surprising to see some of those applications on a list of scary programs. Mozilla, for example, is lightning-fast when it comes to fixing vulnerabilities. Yet not only did its Firefox browser place at No. 3 on Bit9s list this year, last year it was at No. 1.
“Its important to note: In many of these cases, vendors are quick, even aggressive, in creating a patch for vulnerabilities,” he said. “The problem is that IT doesnt have the capability to enforce that the patch gets applied. Thats not a reflection on the company. Its up to the user. Corporations cant put stability and integrity of the enterprise network into the hands of its end users.”
IE and Firefox both come up frequently when it comes to critical vulnerabilities, but IE isnt on the list because most organizations have a fairly good grip on the browser, given Microsofts regularly scheduled Patch Tuesdays, he said.
VMwares Player being rated a popular vulnerable application may come as another surprise. The free desktop virtualization application allows users to run virtual machines on Windows or Linux PCs and to operate any VM created by VMware Workstation, VMware Server or VMware ESX Server, as well as Microsoft VMs and Symantec LiveState Recovery disks.
Virtualization is hot, but its a surprising find to see it on a list of vulnerable consumer applications. “It was a surprise for me because its normally considered to be business-oriented,” Gladstein said. “But map it against our criteria, and its more and more popular in the consumer space. Individuals download players to do their own thing.”
Unfortunately, users doing their own thing with VMware Player can allow remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow or corrupt stack memory. These vulnerabilities were detailed in CVE-2007-0063, in CVE-2007-0062 and in CVE-2007-0061, vulnerabilities all described in late August. VMs have, in fact, been gaining increasing attention for their far-from-stellar security profiles. A slew of virtualization vulnerabilities have been patched over the past seven months by major virtualization vendors VMware, Microsoft and XenSource, for example.
Bit9 recommends that organizations protect themselves from the harm popular consumer applications can do by defining policy for such programs, including determining what applications an organization is going to allow users to install and what the recourse will be in the case of a vulnerability.
Also, the company recommends understanding where applications are located in the enterprise, using inventory tools. It also pays to monitor the Internet for new vulnerabilities, to monitor in-house PCs and use some type of software identification service so as to understand what type of software is put onto PCs and for what ends.
Editors Note: This story was updated to correct the name of VMware Player.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.