October 29, 2007
By Lisa Vaas
They may be hiding beneath your bed or in the darkest corners of your business, but you know them when you smell them: applications so popular you'd have to break users' fingers to stop them from creeping into the network.
Without further ado, the list of the year's Top 12 popular applications with critical vulnerabilities, according to a yearly ranking from Bit9, a vendor of application and device control technology:
1. Yahoo Messenger, 8.1.0.239 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 2.0.0.6
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition, 9 and earlier
8. Sun Java Runtime Environment (JRE) 1.6.0_X
9. Yahoo Widgets 4.0.5 and previous
10. Ask.com Toolbar 4.0.2.53 and previous
11. Broadcom wireless device driver as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter 3.50.21.10
12. Macrovision (formerly InstallShield) InstallFromTheWeb, unversioned
Bit9 drew from a variety of sources to develop the list, including the National Vulnerability Database, the SANS Institute and the U.S. Computer Emergency Readiness Team, and based it on a handful of other criteria, including the fact that patching these problem programs is left up to users (yes, that's why Internet Explorer doesn't show up).
Moreover, to make the list, an application must run on Microsoft Windows; be well-known to consumers and frequently downloaded by individuals; not be classified as malicious in and of itself by enterprise IT organizations or security vendors; contain at least one critical vulnerability that was first reported in June 2006 or after and registered in the National Institute of Standards and Technology's vulnerability database and given a severity rating of between 7.0 and 10.0 on the CVSS (Common Vulnerability Scoring System); and rely on the end user, as opposed to a central administrator, to manually patch or upgrade the software.
Brian Gladstein, director of product marketing for Bit9, said that these applications represent a species that's wild on the Internet and that people love to use, including IM clients, iTunes and QuickTime.
That's a problem for IT. "In a corporate environment where compliance is so much more important nowadays, there's no way for central IT to know [such applications are] there and to do anything about them. It represents an unknown threat across the environment," he said. "IT has no way of formally plugging these holes."
Gladstein admits that it may well be surprising to see some of those applications on a list of scary programs. Mozilla, for example, is lightning-fast when it comes to fixing vulnerabilities. Yet not only did its Firefox browser place at No. 3 on Bit9's list this year, last year it was at No. 1.
"It's important to note: In many of these cases, vendors are quick, even aggressive, in creating a patch for vulnerabilities," he said. "The problem is that IT doesn't have the capability to enforce that the patch gets applied. That's not a reflection on the company. It's up to the user. Corporations can't put stability and integrity of the enterprise network into the hands of its end users."
IE and Firefox both come up frequently when it comes to critical vulnerabilities, but IE isn't on the list because most organizations have a fairly good grip on the browser, given Microsoft's regularly scheduled Patch Tuesdays, he said.
VMware's Player being rated a popular vulnerable application may come as another surprise. The free desktop virtualization application allows users to run virtual machines on Windows or Linux PCs and to operate any VM created by VMware Workstation, VMware Server or VMware ESX Server, as well as Microsoft VMs and Symantec LiveState Recovery disks.
Virtualization is hot, but it's a surprising find to see it on a list of vulnerable consumer applications. "It was a surprise for me because it's normally considered to be business-oriented," Gladstein said. "But map it against our criteria, and it's more and more popular in the consumer space. Individuals download players to do their own thing."
Unfortunately, users doing their own thing with VMware Player can allow remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow or corrupt stack memory. These vulnerabilities were detailed in CVE-2007-0063, in CVE-2007-0062 and in CVE-2007-0061, vulnerabilities all described in late August. VMs have, in fact, been gaining increasing attention for their far-from-stellar security profiles. A slew of virtualization vulnerabilities have been patched over the past seven months by major virtualization vendors VMware, Microsoft and XenSource, for example.
Bit9 recommends that organizations protect themselves from the harm popular consumer applications can do by defining policy for such programs, including determining what applications an organization is going to allow users to install and what the recourse will be in the case of a vulnerability.
Also, the company recommends understanding where applications are located in the enterprise, using inventory tools. It also pays to monitor the Internet for new vulnerabilities, to monitor in-house PCs and use some type of software identification service so as to understand what type of software is put onto PCs and for what ends.
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
http://www.eweek.com/print_article2/0,1217,a=218232,00.asp
By Lisa Vaas
They may be hiding beneath your bed or in the darkest corners of your business, but you know them when you smell them: applications so popular you'd have to break users' fingers to stop them from creeping into the network.
Without further ado, the list of the year's Top 12 popular applications with critical vulnerabilities, according to a yearly ranking from Bit9, a vendor of application and device control technology:
1. Yahoo Messenger, 8.1.0.239 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 2.0.0.6
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition, 9 and earlier
8. Sun Java Runtime Environment (JRE) 1.6.0_X
9. Yahoo Widgets 4.0.5 and previous
10. Ask.com Toolbar 4.0.2.53 and previous
11. Broadcom wireless device driver as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter 3.50.21.10
12. Macrovision (formerly InstallShield) InstallFromTheWeb, unversioned
Bit9 drew from a variety of sources to develop the list, including the National Vulnerability Database, the SANS Institute and the U.S. Computer Emergency Readiness Team, and based it on a handful of other criteria, including the fact that patching these problem programs is left up to users (yes, that's why Internet Explorer doesn't show up).
Moreover, to make the list, an application must run on Microsoft Windows; be well-known to consumers and frequently downloaded by individuals; not be classified as malicious in and of itself by enterprise IT organizations or security vendors; contain at least one critical vulnerability that was first reported in June 2006 or after and registered in the National Institute of Standards and Technology's vulnerability database and given a severity rating of between 7.0 and 10.0 on the CVSS (Common Vulnerability Scoring System); and rely on the end user, as opposed to a central administrator, to manually patch or upgrade the software.
Brian Gladstein, director of product marketing for Bit9, said that these applications represent a species that's wild on the Internet and that people love to use, including IM clients, iTunes and QuickTime.
That's a problem for IT. "In a corporate environment where compliance is so much more important nowadays, there's no way for central IT to know [such applications are] there and to do anything about them. It represents an unknown threat across the environment," he said. "IT has no way of formally plugging these holes."
Gladstein admits that it may well be surprising to see some of those applications on a list of scary programs. Mozilla, for example, is lightning-fast when it comes to fixing vulnerabilities. Yet not only did its Firefox browser place at No. 3 on Bit9's list this year, last year it was at No. 1.
"It's important to note: In many of these cases, vendors are quick, even aggressive, in creating a patch for vulnerabilities," he said. "The problem is that IT doesn't have the capability to enforce that the patch gets applied. That's not a reflection on the company. It's up to the user. Corporations can't put stability and integrity of the enterprise network into the hands of its end users."
IE and Firefox both come up frequently when it comes to critical vulnerabilities, but IE isn't on the list because most organizations have a fairly good grip on the browser, given Microsoft's regularly scheduled Patch Tuesdays, he said.
VMware's Player being rated a popular vulnerable application may come as another surprise. The free desktop virtualization application allows users to run virtual machines on Windows or Linux PCs and to operate any VM created by VMware Workstation, VMware Server or VMware ESX Server, as well as Microsoft VMs and Symantec LiveState Recovery disks.
Virtualization is hot, but it's a surprising find to see it on a list of vulnerable consumer applications. "It was a surprise for me because it's normally considered to be business-oriented," Gladstein said. "But map it against our criteria, and it's more and more popular in the consumer space. Individuals download players to do their own thing."
Unfortunately, users doing their own thing with VMware Player can allow remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow or corrupt stack memory. These vulnerabilities were detailed in CVE-2007-0063, in CVE-2007-0062 and in CVE-2007-0061, vulnerabilities all described in late August. VMs have, in fact, been gaining increasing attention for their far-from-stellar security profiles. A slew of virtualization vulnerabilities have been patched over the past seven months by major virtualization vendors VMware, Microsoft and XenSource, for example.
Bit9 recommends that organizations protect themselves from the harm popular consumer applications can do by defining policy for such programs, including determining what applications an organization is going to allow users to install and what the recourse will be in the case of a vulnerability.
Also, the company recommends understanding where applications are located in the enterprise, using inventory tools. It also pays to monitor the Internet for new vulnerabilities, to monitor in-house PCs and use some type of software identification service so as to understand what type of software is put onto PCs and for what ends.
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
http://www.eweek.com/print_article2/0,1217,a=218232,00.asp
全站熱搜
留言列表
