Mozilla Firefox, Apple Safari and Opera browser appear in an annual list documenting highly used, high risk software as a result of serious vulnerabilities discovered in the browsers this year.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The browsers appear on a list of 11 applications deemed a high risk to enterprises. Mozilla had 44 vulnerabilities reported in 2009, some of which could cause a denial of service (DoS) and enable attackers to gain access and control a victim's machine. By contrast, Apple Safari had six serious vulnerabilities reported, including flaws that enable man-in-the-middle attacks, remote code execution and denial-of-service attacks. Opera had only two vulnerabilities reported, but they were serious enough -- allowing remote code execution if the browser attempts to process a malicious JPEG image -- to warrant its standing on the list.
Application security threats:
Experts rebuke programmers who use SQL injection as feature: Security experts point to online advertising campaigns that distributed faulty code to affiliates as the source of spikes in SQL injection attacks.
Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards.
In addition to Firefox and Opera, Bit9's risky software list includes Adobe Systems's Flash and Macromedia players, Acrobat and Reader PDF software, Sun Java Runtime Environment, Apple's QuickTime, RealNetworks's RealPlayer and Cerulean Studios' Trillian instant messenger client.
"We're not listing out the worst offenders, but the top applications that we think people should be concerned about," said Tom Murphy, chief strategy officer at Bit9.
Security experts have been trying to turn attention onto end-user applications, which are commonly targeted by attackers to gain a foothold into enterprise systems. The SANS Institute released a report in September citing vulnerabilities in Web-facing end user applications as a major threat. The report used data from TippingPoint's intrusion prevention systems and Qualys Inc.'s vulnerability data to lay out the increasing threat posed by the poor patching of client-side applications. The report found that two attack vectors -- client-side vulnerabilities and Web application flaws -- are often coupled together.
All the applications on the Bit9 list run on Microsoft Windows, are well known in the consumer space and are frequently downloaded by individuals. The software must have contained at least one critical vulnerability listed in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database.
Murphy said the applications pose an additional risk to enterprises because they rely on the end user to manually patch or upgrade the software to eliminate a vulnerability. Microsoft's Internet Explorer browser does not make the list because it can be centrally updated by IT administrators using tools provided by Microsoft.
Despite the move by vendors to improve patching times through the deployment of more automated updates (Firefox and Java have such methods), they still rely on some end user interaction and keep IT out of the process, Murphy said. Other software makers, Google for example, use a silent auto update that pushes out patches even faster to users.
"There are a lot of self-updating applications but it's at the expense of the end user to make that happen," Murphy said. "We're targeting this list not so much at the end user but for IT so they know what applications are running in their environment that need to be patched and that they don't have full control over."
Other applications, which made the list in the past, are either being targeted less by attackers or are not the focus of security researchers. The popular VoIP application, Skype was dropped from the list in 2009 since no vulnerabilities were reported in the NIST database. Two antivirus vendors, Symantec's Norton Antivirus software and Trend Micro's OfficeScan product also didn't make the list this year.
"The list has been getting shorter as the applications are getting maintained a little better by the vendors and they're more mature as well," Murphy said.