Security

Some of the most-used applications on Windows today are also some of the most vulnerable to security flaws. And it's often the user's fault.

A list compiled by enterprise application whitelisting vendor Bit9 found that 12 of the most popular consumer applications are being used despite having vulnerabilities that could make for compromised systems or stolen data.

The rankings -- ordered by number of vulnerabilities -- include Mozilla Firefox, Apple's (NASDAQ: AAPL) iTunes, QuickTime and Safari Browser and Adobe's (NASDAQ: ADBE) Flash and Acrobat. Antivirus utilities didn't escape mention, with products from Symantec's (NASDAQ: SYMC) Norton family and from Trend Micro making an appearance. Also on the list were virtualization offerings from VMware (NYSE: VMW) and Citrix Systems (NASDAQ: CTXS).


Top popular apps with vulnerabilities

ApplicationAffected Versions
1. Mozilla Firefox3.x, 2.x
2. Adobe Flash & AcrobatFlash: 10.0- 10.0.12.36 and 9.0- 9.0.151.0
Acrobat: 8.1.2, 8.1.1
3. EMC VMware Player, Workstation and other productsESXi 3.5 or earlier
Workstation 5.5.x
Player 2.0.x & 1.0.x
ACE 2.0.x & 1.0.x
4. Sun Java Runtime Environment (JRE)Version 6 Update 6
5. Apple Quicktime, Safari & iTunesQuicktime: 7.5.5
Safari: 6.0.5.20B iTunes: 3.2, 3.1.2
6. Symantec Norton products2.7.0.1
7. Trend Micro OfficeScan8.0 SP1 before build 2439
8.0 SP1 Patch 1 before build 3087
8. Citrix Deterministic Network Enhancer (DNE), Access Gateway, Presentation ServerDNE 2.21.7.233- 3.21.7.17464
Access Gateway 4.5.7
Presentation Server 4.5
9. Aurigma Image Uploader, Lycos FileUploader4.6.17.0, 4.5.70.0, 4.5.126.0
10. Skype3.6.0.248
11. Yahoo! Assistant3.6
12. Microsoft Window Live Messenger4.7 & 5.1
Source: Bit9


But Harry Sverdlove, Bit9's CTO, told InternetNews.com that the real fault generally doesn't lie with the products' vendors themselves, most of whom have fixes available for the security holes.

"The vendors update their patches, but end users often don't install these," Sverdlove said.

For enterprises, the fact spells trouble -- especially since many of these apps slip in without IT knowing. Additionally, the news comes as businesses face growing security threats, punctuated by a slew of recent data breaches, while also contending sharply reduced spending on IT projects.

Bit9's solution is whitelisting -- like having a guard dog. It will not allow anyone into the house until its master tells it that person is accepted. And, even then, it will sit on watch, eyeing a visitor.

"Even if you don't update or patch your application, as long as you have a whitelist, malware can come in but it can't execute," Bit9's Sverdlove said. "And we alert the IT administrators so that they can take action."

However, whitelisting is not a panacea, Gerry Egan, director of product management at antivirus vendor Symantec, told InternetNews.com. But neither is blacklisting, which takes the alternate approach by maintaining a list of applications to keep out.

"Where whitelisting breaks down is the same place blacklisting breaks down -- there are files used by a few people because they're new or for a niche application, and they aren't popular enough for their signatures to be recognized by whitelisting or blacklisting applications," he said.

Symantec has incorporated some whitelisting technology in its Norton 2009 products, released in September, and is working on a reputation-based technology, Egan added.

This will work similarly to the rating method on Amazon.com and eBay, where products and sellers receive a rating by users, and users' comments about them are published. Symantec is thinking about leveraging its installed user base to calculate the reputation of applications, Egan said.

This article was first published on InternetNews.com. To read the full article, click here.