Software products marketed by Yahoo and Apple have topped the list of the most vulnerable Windows-based applications in 2007, according to endpoint security vendor Bit9.
The list, available here (registration required), focuses on popular, widely deployed Windows programs that are often very difficult for an IT department to locate or patch and, as Bit9 explains, "represent unexpected and unquantified vulnerabilities in an enterprise IT environment."
Yahoo's standalone IM client, which has been riddled with security holes all year, is #1 on the list. The buggy Yahoo Widgets software also makes an appearance at number 9.
Apple's QuickTime media player and iTunes music download software also feature high on the list.
Strangely, Microsoft does not feature heavily on the Bit9 list. In fact, a Microsoft product appears only once on the list -- Windows Live MSN Messenger at #4.
The Bit9 explanation:
The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same cannot be said for apps like Firefox, iTunes, and other packages.
That does make sense but it's hard to imagine Internet Explorer 6, the world's most widely used -- and heavily targeted -- browser, not making an appearance on this list.
I could also make the argument that Microsoft Word, which has struggled with zero-day attacks and multiple code execution hole, should be high on any list of most-vulnerable Windows apps.
Here's the top-ten from Bit9:
- Yahoo! Messenger 18.104.22.168 and earlier
- Apple QuickTime 7.2
- Mozilla Firefox 22.214.171.124
- Microsoft Windows Live (MSN) Messenger 7.0, 8.0
- EMC VMware Player (and other products) 2.0, 1.0.4
- Apple iTunes 7.3.2
- Intuit QuickBooks Online Edition 9 and earlier
- Sun Java Runtime 1.6.0_X
- Yahoo! Widgets 4.0.5 and previous
- Ask.com Toolbar 126.96.36.199 and previous
As I always recommend for Windows users, be sure to scan your system for security holes and apply all the necessary patches. Secunia's free Web-based software inspector is a great place to start. A downloadable version is also available.