ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Firefox tops list of 12 most vulnerable apps

By | December 15, 2008, 10:41am PST

Summary: Mozilla’s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform. According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008.  These flaws exposed millions of Windows users to remote code execution attacks. The [...]

Firefox tops list of 12 most vulnerable appsMozilla’s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008.  These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs.  Here’s Bit9’s dirty dozen:

  1. Mozilla Firefox:  In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
  2. Adobe Flash and Adobe Acrobat:  Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issues” and malformed parameters.
  3. EMC VMware Player,Workstation and other products:  A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.
  4. Sun Java JDK and JRE, Sun Java Runtime Environment (JRE):
    Inability to prevent execution of applets on older JRE  release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications.  10 patched vulnerabilities listed.
  5. Apple QuickTime, Safari and iTunes:  In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs.  The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and  denial of service involving JavaScript arrays that trigger memory corruption.  Apple’s iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.
  6. Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.
  7. Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for  remote attackers to execute arbitrary code.
  8. Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.
  9. Aurigma Image Uploader, Lycos FileUploader:  Remote attackers can perform remote code execution via long extended image information.
  10. Skype:  Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.
  11. Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.
  12. Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, “change state,” obtain contact information and establish audio or video connections without notification.

See Bit9’s full report (.pdf) for information on how the list was put together, including criteria for inclusion.

* Image source: Channy Yun’s Flickr photostream (Creative Commons 2.0)

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Mozilla Firefox, Attacker, Vulnerability, JRE, Arbitrary Code Execution, Buffer-overflow, Security, Viruses And Worms, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

169
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Firefox tops list of 12 most vulnerable apps
birumut Updated - 4th May 2011
Great!!! thanks for sharing this information to us !
seslisohbet seslichat
View in thread
0 Votes
+ -
Curious Bill and the Monkeys...
tburzio 15th Dec 2008
Curious, but a week after Microsoft puts out a "It's not our OS but the programs that it runs", this report comes out. Even more curious is that it lists none of Microsoft's own programs, which are listed in the "critical" phase each week. Hmmmmm. I wonder who paid for the study? happy
0 Votes
+ -
Google, not Microsoft
GuidingLight 15th Dec 2008
Hmmmmm. I wonder who paid for the study?

Well, it is easily apparent that Google had funded the study.

Blow ?number four? to Mozilla. Google does not wish anyone to download Firefox now that Chrome is ?out? of Beta, so scare everyone away from using it. happy
0 Votes
+ -
It must have been paid for by Microsoft and Google, oh and the Tooth Fiary
rs_jr Updated - 15th Dec 2008
It must have been Google AND Microsoft who funded this study since neither Chrome or IE was on the list...oh, and the Tooth Fairy probably had something to do with it as well, since the "Pixie Dust" browser isn't on the list. Oh and what about the aliens from outter space? I mean they don't have a product on the list, right?

I think that the authors of this report should change the data to make it look worse for Microsoft. I mean they'd get more people to believe it wouldn't they? I mean the ABM-ers could then feel better about giving their favorite vendor (e.g., Mozilla, Adobe, VMware, etc.) a pass then. Right, or am I missing something here?
0 Votes
+ -
Well, it's an end of year report.
seanferd 16th Dec 2008
so that should answer the timing question.
0 Votes
+ -
That's exactly what
OldGuru Updated - 16th Dec 2008
... went through my mind when I browsed the list of apps.

Moreover, the whole logic is flawed. Even if we assume that the data (number of critical patches for each app) is accurate, how is an application that leaves its vulnerabilities unpatched, hence less patches, any safer?!
0 Votes
+ -
Obviously,
Greenknight_z 17th Dec 2008
the app which doesn't patch is less secure. This business of counting patches is nonsense, what counts is how many days users were vulnerable. Firefox has a history of vulnerabilities being patched quickly, and would look very good by this metric.
0 Votes
+ -
Very odd...
InAction Man 15th Dec 2008
it sure looks suspicious to me.
0 Votes
+ -
Sensationalist title
forrestgump2000@... 15th Dec 2008
The apps considered for this list have very specific criteria. Including:
"The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS."

So for example, Internet Explorer may be "more vulnerable" than Firefox, but it wouldn't be listed in this report.

The title (and pretty much the article) are sensationalist.
0 Votes
+ -
Talk about misleading statistics....
techvet 15th Dec 2008
Suppose IE and Firefox each have the same 10 vulnerabilities discovered. Firefox fixes 8 of them and Microsoft fixes 6 in IE. By this criteria, IE is better than Firefox because it fixed fewer flaws!

You cannot judge all this without knowing how many unpatched flaws each package has.
0 Votes
+ -
Exactly! All this proves is that Firefox is the MOST secure.
T1Oracle 16th Dec 2008
They actually patched their bugs. The app with the most patches is most likely the most secure. How so? Because every app has bugs and the quick release of patches shows a dedication to eliminating them.

A more accurate title would be Firefox is the most frequently patched Windows application. Of course that would hardly get as much attention.
0 Votes
+ -
Stings a little I guess...nt
TheBottomLineIsAllThatMatters 17th Dec 2008
nt
0 Votes
+ -
FireFox had more patches than IE in 2008
dunn@... 19th Dec 2008
yet the Firefox fanbois and Linus kneelers turn their heads to facts.

Also watch the secunia vulnerability reports for web servers and you will find about 1 in 5 of every report secunia issues is a SQL injection flaw in an open sourced web servers.

I am being generous with the 1/5 as it is most likely higher.
0 Votes
+ -
Grasping at straws
Speednet 30th Dec 2008
I was scanning down the list of comments for the most ridiculous, impassioned, blind defense of Firefox, and it didn't take long. I love articles like these, because it really throws the "true believers" for a loop.
0 Votes
+ -
How is it functionally possible IE is not on the list?
TripleII-21189418044173169409978279405827 15th Dec 2008
http://blogs.zdnet.com/hardware/?p=3189
Just today.

Even today, IE fully patched has more open vulnerabilities than every application (except probably Quicktime, it is simply a huge vulnerability in and of itself).

I am all for listing and fixing vulnerabilities, but IE gets a pass, makes me think there is an agenda.

http://secunia.com/advisories/product/12366/?task=statistics_2008
33 secunia, 70 total vulnerabilities.

http://blogs.zdnet.com/security/?p=2301
http://blogs.zdnet.com/security/?p=2296
http://blogs.zdnet.com/security/?p=2284
Another major bulletin is MS08-073, which covers 4 flaws in Internet Explorer,

Ahh, what's 4 or 5 critical flaws in IE per month, lol.

TripleII
0 Votes
+ -
Good question. On my screen, I have the following:
olePigeon 15th Dec 2008
Good question. On my screen, I have the following:

http://blogs.zdnet.com/hardware/?p=3189

lol
0 Votes
+ -
how about this one... it's getting CRITICAL
|-Jabba-| 19th Dec 2008
or http://blogs.zdnet.com/security/?p=2317
0 Votes
+ -
Hold on to your hat.....
xuniL_z 15th Dec 2008
Just because it's fashionable to blog every single MS patch and to only do so sporadically with OSS apps, doesn't mean a damn thing TripleII.


You just have to realize how bad FireFox really is to have more security issues than IE.


I don't think IE, for being the best platform to code to, is faring all that badly.


It didn't start out with the Mantra of "security", like all of OSS land claims to own.


If we saw every patch for all Linux based distros and apps on here everyday, Paul Murphy would be in total defense mode around the clock to try and exonerate them as somehow MS inspired.
0 Votes
+ -
"realize how bad FireFox really is"??? Very bad joke.
InAction Man 15th Dec 2008
Not funny at all.
0 Votes
+ -
10 vulns allowing remote code execution is what is not funny....
xuniL_z Updated - 15th Dec 2008
facts is facts bud.


Sorry if that affects your choice of product created by large numbers of geeks typing code into computers. I can see your conundrum.
0 Votes
+ -
I never found one
InAction Man 15th Dec 2008
I am using firefox since firebird 0.6 and that was in the betas era, a looong time ago. Now I am using the unbranded version called iceweasel (Linux.)

When I still used Windows I took it to warez sites (just for the fun, I was switching to Linux) and I never had any problems. Believe me, if I only had IE I would never try that stunt.
0 Votes
+ -
You can lock down IE.
xuniL_z 15th Dec 2008
It'll lock down so that no code can run.


why does everyone act like Firefox is the only one that has the ability to stop all scripting?



I've used IE for years and have never had a problem, does that make it safer? No. I'm not saying IE IS safer.


I'm only saying Ryan is only reporting data, and weighting it based on severity of "Possible" exploits. There were days in which FF could have allowed systems to be taken over. because that didn't happen, that I know of anyway, does not take away what is fact. That is called luck. And probably because there are perceptions out there as well, that are obviously untrue but still exist.
0 Votes
+ -
Make me laugh. Not.
Cayble 15th Dec 2008
I have IE, I use IE and I go anywhere I like on the net. Warez sites? Big deal. Updated AV and anti spyware with an updated OS will keep IE plenty safe in Warez sites. Unless you chose to be retarded. And of course if you do choose to be retarded its only a question of how retarded you choose to be before even a Linux distro swirls down the tubes.
0 Votes
+ -
Let's see that happen
hasta la Vista, bah-bie 16th Dec 2008
you choose to be before even a Linux distro swirls down the tubes.

What? No can do?

Awwww....

grin
0 Votes
+ -
Lucky
rjacksix 19th Dec 2008
You sir are extremely lucky. There have been two zero-day unstoppable script injected remote exploits that nothing you mention would have stopped. One simple exploit of the last one (the XML exploit) had more than 250,000 sites infected with a script that would have EASILY nailed you with a drive-by without you're ever knowing it.

I don't trust Firefox, IE, Safari, Windows, Linux, or OS X to the degree that you say that you do IE (and Vista? or XP?)
0 Votes
+ -
Facts??? That's highly debatable!
InAction Man 15th Dec 2008
I could point to many articles stating the contrary.
0 Votes
+ -
Ok, IE was excluded due to b9's requirements as it's aimed at sties
xuniL_z 16th Dec 2008
that have administration. businesses and other organizations, not individuals.


But i don't know that IE had 10 vulns that allowed remote code execution in 2008 for starters so it's not clear it would have ranked at number 1 if that's what you think. Firefox may still have taken the blue ribbon.
0 Votes
+ -
You miss the point.
TripleII-21189418044173169409978279405827 15th Dec 2008
In no way did I defend or slam FF. It is simply functionally impossible that IE is left off such a list with 70+ critical vulnerabilities (on XP, major on Vista, for the most part), story after story about ZERO day exploits in use in the wild AND have anyone believe you.

It is up there with QuickTime = Secure Product, it is not functionally possible. Maybe they all suck, every product, but you have to admit, IE not being on the list is amazing.

IE - 6 Abysmal and still in wide use (not MS's fault, but utterly insecure).
IE - 7 better (certainly on Vista), however, multiple zero day's in the wild, and several critical from years before unpatched.

I would also project that we will need to start differentiating OS use w.r.t browser. Safari on MS might truly suck, but be very secure on OS-X. Similarly for FF on the Acer Aspire One. Course, MS would have to port, but that column can be blank.

TripleII
0 Votes
+ -
While you're posting those vulns...
storm14k 15th Dec 2008
....post along with them the damage they can do on *nix and Windows. Also post how soon they are fixed.
0 Votes
+ -
This blog does not claim to do that.
xuniL_z 15th Dec 2008
There are many blogs like this every day on zdnet and if you pay attention, there is a huge software maker that gets the lions share of them.



That is they are limited in scope and only provide one set of data, not giving the big pictures.




If you read carefully, this blog is totally about businesses and if you link to the pdf, you'll see that IE is left out because:


6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.
0 Votes
+ -
Thats not what I asked...
storm14k 16th Dec 2008
You said if all the Linux vulns were listed yada yada...

I said go ahead and list them.

But following rule #6 from that study hardly anything would be listed for Linux.
0 Votes
+ -
LOL - n
TheBottomLineIsAllThatMatters 17th Dec 2008
nt
0 Votes
+ -
Reason why IE isn't on that list
mone_dog 16th Dec 2008
If anyone cared to check the linked pdf-report from bit9 - the hilarious reason why IE was not reported on place 1 one that list is their statement:
(loosely cited)
Listed blow are Apps widely spread, with nist affirmed critical errors etc AND
The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.

Yeah right.
Who paided for that report?
0 Votes
+ -
You are losing all credibility, Ryan, for such nonsense
Narr vi 15th Dec 2008
We have a bad year for hacking, where vulnerabilities
show up. The most responsible software makers respond
with big groups of fixes.

Then this report and you penalize them for acting
responsibly. You say, in effect, because you _did_
have needs for fixes, you are bad.

Does this make sense to anyone?

Maybe the presence of VMWare on this list does give a
clue to who proposed and funded such an untruthful
'study', but that doesn't matter as much as something
else.

Are you truly gullible, or just playing 'the game'?

Only you can answer, but I hope you think about it.

Regards,
Narr Vi
0 Votes
+ -
Exactly right, Narr.
Lerianis 15th Dec 2008
The fact is that there are ALWAYS going to be vulnerabilities for applications, especially internet ones. You just cannot do anything to avoid that certainty.

What you do is as soon as someone finds a vulnerability.... you fix it. You don't take the Microsoft approach that 'Oh, it's hard to use this vulnerability in reality, let's not fix it!"
You fix it immediately, period and done with.

Firefox does that. Adobe does that. So do most of those other people on the list.
0 Votes
+ -
Honestly it should read "12 most Responsible Windows apps" nt
T1Oracle Updated - 16th Dec 2008
nt
0 Votes
+ -
Honestly? LOL!!
xuniL_z 17th Dec 2008
You can say with a straight face that Quicktime is a responsible app? Or Safari on windows ? Come on, they have been deemed by many sources the most offending software.


And Apple's tactics of defaulting Safari in on an iTunes update? Nice and responsible, oh yeah.


Remind me to not respect your opinions any longer. wink

0 Votes
+ -
In terms of vulnerability patching
T1Oracle 17th Dec 2008
but I can see with that "respect" remark that you're only interests are troll responses... :\
0 Votes
+ -
And...
thx-1138_@... 16th Dec 2008
...the prize for the 'Most Sensible Post' goes to...

Narr Vi - a very nice (and appropriate) post!

Well said - and i couldn't agree with you more.

QUOTABLE QUOTES:

"Bull$h!t is bull$h!t, it just goes by different names."

"Believe none of what you hear and only half of what you see" ... especially when it relates to application vulnerabilities and 'doesn't even mention' MS.

Food for thought:

(IF

Ignorance = Bliss,

THEN (Gullibility = Nirvana
&& Pigs Flying = TRUE);

ENDIF
)


Again, nice post Narr Vi!

:^)
0 Votes
+ -
I Have to Agree
rjacksix 19th Dec 2008
This article isn't credible. The title says that Firefox is the biggest vulnerability and yet other software had 4 more critical bugs. I am not even going to get into the IE rant. I'm to busy making sure we get our out of bandwidth patch for the XML zero day in place.

(PLUHHHEEEEZZZ!)

So Why should I continue to read what your right Ryan?

Are you a pundit or a parrot?

(Sorry, it's alliterative)
0 Votes
+ -
I Know
rjacksix 19th Dec 2008
sorry I was in a hurry....too, and write...sigh. It's hard to write on top of a soap box wink
0 Votes
+ -
Even the biggest MS lover will call this BS
wackoae 15th Dec 2008
Either the author believes that people are complete morons or he is the biggest moron in the planet.

This article is not more laughable because it is obviously more than flawed.

So how is something more vulnerable for FIXING problems fast??

How is it more vulnerable than apps that have 5 to 6 years old unfixed highly critical vulnerabilities??

What about all the other credible reports from reputable security companies that show totally different results? (where Firefox is not even in the top 50).

Please don't insult the intelligence of the reader. Even the troll will have to agree that this "report" is nothing but a big pile of diuretic bull.
0 Votes
+ -
Looks like remote execution vulns are weighted most heavily.....
xuniL_z 15th Dec 2008
there are many ways to look at things, but he is just reporting facts.


An attack is not even necessary for something to be labeled insecure.


If a country had no army and no means to resist attack, according to your logic they are safer than anyone if not attacked.


Plain and simple, Ryan has been straight up all along and now just because your "product of choice" has been exposed as most vulnerable, you want to act like the man's credibility is in question?


What's it like to live and die by something a large group of geeks typed into a computer?




wink
0 Votes
+ -
Are ActiveX controls counted separately.
TripleII-21189418044173169409978279405827 15th Dec 2008
The only way this even comes close to making sense is IE is not bundled with ActiveX in any way, and the report deals with "applications" only meaning the controls are not counted. If you want to talk about remote code execution vulnerabilties, you would have to include the King or all Kings in terms of poor security, ActiveX.

It would be very disingenous on the report creator, but the only thing that comes close to making sense.

(And yes, ActiveX was created in a non malware time, never designed to be secure, unfortunately, it was a lock in mechanisms and should have been killed about 500M infected computers ago).

TripleII
0 Votes
+ -
From the bit9 pdf with requirements for inclusion.:
xuniL_z 15th Dec 2008
6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.
0 Votes
+ -
Funny how the report was released in PDF form
WiredGuy 16th Dec 2008
It's funny how Bit9 released their report of the "worst applications" in PDF form since Adobe reader was one of the evil apps.
0 Votes
+ -
acrobat isn't the only way to read .pdf files
Dutchie027 16th Dec 2008
there are other ways to read .pdf files aside of Acrobat if you don't want their bloatware you know...
0 Votes
+ -
Or Windows Update?
T1Oracle Updated - 16th Dec 2008
"6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS. "




Are you saying that IE was excluded from consideration in the "report"?
0 Votes
+ -
Yep!
mone_dog 16th Dec 2008
That's exactly what this section implies!
0 Votes
+ -
Yes.
xuniL_z 16th Dec 2008
That is from the requirements for apps to be considered for this B9 report.




You only need to link to the PDF file in the blog.
0 Votes
+ -
Then why?
rjacksix 19th Dec 2008
Last time I checked, Firefox applies it's updates automatically, Adobe does, iTunes does, etc.. The ONLY packages that are patched (sic) by SUS/WSUS are MS products. (sic because it doesn't work well, when it works at all which is why we us Patchlink).
0 Votes
+ -
RE: Firefox tops list of 12 most vulnerable apps
birumut Updated - 4th May 2011
Great!!! thanks for sharing this information to us !
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix