January 26, 2009, 11:00 AM — The software vulnerabilities listed in Bit9's so-called 'Dirty Dozen' don't swoop in wearing a mask and brandishing a gun. They come in surreptitiously hidden in the coattails of popular applications. These applications aren't malicious in nature, but if managed improperly by the end-user, they become open doors for hackers and malware to penetrate computer and networks that are otherwise secure. How many times do you boot up your computer, receive a patch-update request, but close it because you're in a hurry? Or worse, click the option that says "do not ask me again." Users who don't take the time to install these patches have a big open-door sitting on their desktop.
Enterprise Risks Revealed
To highlight the risk enterprises face from popular applications that remain unknown and unmanaged by the IT department, Bit9 announced the "2008 Most Popular Applications with Critical Security Vulnerabilities"--an annual list and research report based on public research from the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database.
What has been a 'Top 10' list in previous years, the 2008 edition was bolstered to become "The Dirty Dozen." This increase to 12 applications is due in large part to the increased number of non-secure consumer applications, and the widespread adoption of these highly popular programs, such as Skype and Yahoo! Assistant.
The list and accompanying research report are designed to raise awareness. These applications often run outside of the IT department's knowledge and control, creating serious security risks for enterprises. Each of these vulnerable applications contains doors into the enterprise that can be used by malicious hackers. IT departments need a way to shut these doors--centrally and automatically--without relying on their end users. IT also needs a way to address the lack of visibility into what applications are being downloaded and run on their employee's computers and also a way to control the execution of software that is not authorized by company policy.
Of the 12 applications identified, here are five that you almost certainly know. Again, these applications were selected for being widely-used (there are over 500 million downloads of Firefox), and then ranked based on the number of specific vulnerabilities they contained--and these vulnerabilities had to be rated "high", between 7.0--10.0, on the Common Vulnerability Scoring System (CVSS).
Firefox had 40 high CVSS vulnerabilities, making them number-one on the list. Some others are listed below are in no particular order.
-- Mozilla Firefox, versions 2.x and 3.x
-- Adobe Acrobat, versions 8.1.2 and 8.1.1
-- Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1
-- Apple iTunes, versions 3.2 and 3.1.2
-- Skype, version 3.5.0.248
Note that in most cases, the entire list of vulnerable applications can be downloaded.
What Can Be Done?
1. Define a control policy for applications. Answer questions such as: What applications will we authorize users to install on their own? If vulnerability is found, what is the proper recourse?
2. Understand where the applications are. An unknown vulnerability could jeopardize sensitive data--and your company's reputation--if a laptop connects to a public Wi-Fi spot.
3. Monitor the Internet for new vulnerabilities. Excellent resources are available at sites such the National Vulnerability Database (http://nvd.nist.gov), the SANS Institute (http://www.sans.org).
4. Monitor your PCs using software identification services. Services such as the free FileAdvisor (http://fileadvisor.bit9.com) let you look up any file and identify its product, publisher, security rating, and more.
5. Enforce application controls using application white listing solutions. Anything not on the white list won't execute--whether it's a targeted attack, one of these vulnerable applications or a malicious payload.
The List Criteria
Each application on the list has the following characteristics:
-- Runs on Microsoft Windows.
-- Is well-known in the consumer space and frequently downloaded by individuals.
-- Is not classified as malicious by enterprise IT organizations or security vendors.
-- Contains at least one critical vulnerability that was:
- first reported in June 2006 or after
- registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
-- Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
-- The application cannot be automatically and centrally updated via enterprise tools such as Microsoft SMS & WSUS.
