Firefox tops list of 12 most vulnerable apps

Firefox tops list of 12 most vulnerable apps

Summary: Mozilla's flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008.

TOPICS: Browser, Security

Firefox tops list of 12 most vulnerable appsMozilla's flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008.  These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs.  Here's Bit9's dirty dozen:

  1. Mozilla Firefox:  In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
  2. Adobe Flash and Adobe Acrobat:  Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issues” and malformed parameters.
  3. EMC VMware Player,Workstation and other products:  A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.
  4. Sun Java JDK and JRE, Sun Java Runtime Environment (JRE): Inability to prevent execution of applets on older JRE  release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications.  10 patched vulnerabilities listed.
  5. Apple QuickTime, Safari and iTunes:  In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs.  The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and  denial of service involving JavaScript arrays that trigger memory corruption.  Apple's iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.
  6. Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.
  7. Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for  remote attackers to execute arbitrary code.
  8. Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.
  9. Aurigma Image Uploader, Lycos FileUploader:  Remote attackers can perform remote code execution via long extended image information.
  10. Skype:  Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.
  11. Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.
  12. Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, "change state," obtain contact information and establish audio or video connections without notification.

See Bit9's full report (.pdf) for information on how the list was put together, including criteria for inclusion.

* Image source: Channy Yun's Flickr photostream (Creative Commons 2.0)

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Curious Bill and the Monkeys...

    Curious, but a week after Microsoft puts out a "It's not our OS but the programs that it runs", this report comes out. Even more curious is that it lists none of Microsoft's own programs, which are listed in the "critical" phase each week. Hmmmmm. I wonder who paid for the study? :-)
    • Google, not Microsoft

      [i]Hmmmmm. I wonder who paid for the study?[/i]

      Well, it is easily apparent that Google had funded the study.

      Blow ?number four? to Mozilla. Google does not wish anyone to download Firefox now that Chrome is ?out? of Beta, so scare everyone away from using it. :)
    • It must have been paid for by Microsoft and Google, oh and the Tooth Fiary

      It must have been Google AND Microsoft who funded this study since neither Chrome or IE was on the list...oh, and the Tooth Fairy probably had something to do with it as well, since the "Pixie Dust" browser isn't on the list. Oh and what about the aliens from outter space? I mean they don't have a product on the list, right?

      I think that the authors of this report should change the data to make it look worse for Microsoft. I mean they'd get more people to believe it wouldn't they? I mean the ABM-ers could then feel better about giving their favorite vendor (e.g., Mozilla, Adobe, VMware, etc.) a pass then. Right, or am I missing something here?
    • Well, it's an <i>end of year</i> report.

      so that should answer the timing question.
    • That's exactly what

      ... went through my mind when I browsed the list of apps.

      Moreover, the whole logic is flawed. Even if we assume that the data (number of critical patches for each app) is accurate, how is an application that leaves its vulnerabilities unpatched, hence less patches, any safer?!
      • Obviously,

        the app which doesn't patch is less secure. This business of counting patches is nonsense, what counts is how many days users were vulnerable. Firefox has a history of vulnerabilities being patched quickly, and would look very good by this metric.
  • Very odd...

    it sure looks suspicious to me.
    InAction Man
  • Sensationalist title

    The apps considered for this list have very specific criteria. Including:
    "The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS."

    So for example, Internet Explorer may be "more vulnerable" than Firefox, but it wouldn't be listed in this report.

    The title (and pretty much the article) are sensationalist.
  • Talk about misleading statistics....

    Suppose IE and Firefox each have the same 10 vulnerabilities discovered. Firefox fixes 8 of them and Microsoft fixes 6 in IE. By this criteria, IE is better than Firefox because it fixed fewer flaws!

    You cannot judge all this without knowing how many unpatched flaws each package has.
    • Exactly! All this proves is that Firefox is the MOST secure.

      They actually patched their bugs. The app with the most patches is most likely the most secure. How so? Because every app has bugs and the quick release of patches shows a dedication to eliminating them.

      A more accurate title would be Firefox is the most frequently patched Windows application. Of course that would hardly get as much attention.
      • Stings a little I guess...nt

        • FireFox had more patches than IE in 2008

          yet the Firefox fanbois and Linus kneelers turn their heads to facts.

          Also watch the secunia vulnerability reports for web servers and you will find about 1 in 5 of every report secunia issues is a SQL injection flaw in an open sourced web servers.

          I am being generous with the 1/5 as it is most likely higher.
      • Grasping at straws

        I was scanning down the list of comments for the most ridiculous, impassioned, blind defense of Firefox, and it didn't take long. I love articles like these, because it really throws the "true believers" for a loop.
  • How is it functionally possible IE is not on the list?
    Just today.

    Even today, IE fully patched has more open vulnerabilities than every application (except probably Quicktime, it is simply a huge vulnerability in and of itself).

    I am all for listing and fixing vulnerabilities, but IE gets a pass, makes me think there is an agenda.
    33 secunia, 70 total vulnerabilities.
    [B]Another major bulletin is MS08-073, which covers 4 flaws in Internet Explorer,[/B]

    Ahh, what's 4 or 5 critical flaws in IE per month, lol.

    • Good question. On my screen, I have the following:

      Good question. On my screen, I have the following:

      • how about this one... it's getting CRITICAL

    • Hold on to your hat.....

      Just because it's fashionable to blog every single MS patch and to only do so sporadically with OSS apps, doesn't mean a damn thing TripleII. <br><br>
      You just have to realize how bad FireFox really is to have more security issues than IE. <br><br>
      I don't think IE, for being the best platform to code to, is faring all that badly. <br><br>
      It didn't start out with the Mantra of "security", like all of OSS land claims to own. <br><br>
      If we saw every patch for all Linux based distros and apps on here everyday, Paul Murphy would be in total defense mode around the clock to try and exonerate them as somehow MS inspired.
      • "realize how bad FireFox really is"??? Very bad joke.

        Not funny at all.
        InAction Man
        • 10 vulns allowing remote code execution is what is not funny....

          facts is facts bud. <br><br>
          Sorry if that affects your choice of product created by large numbers of geeks typing code into computers. I can see your conundrum.
          • I never found one

            I am using firefox since firebird 0.6 and that was in the betas era, a looong time ago. Now I am using the unbranded version called iceweasel (Linux.)

            When I still used Windows I took it to warez sites (just for the fun, I was switching to Linux) and I never had any problems. Believe me, if I only had IE I would never try that stunt.
            InAction Man