Yahoo Messenger, QuickTime top list of most vulnerable Windows apps

Yahoo Messenger, QuickTime top list of most vulnerable Windows apps

Summary: Software products marketed by Yahoo and Apple have topped the list of the most vulnerable Windows-based applications in 2007, according to endpoint security vendor Bit9.


Yahoo Messenger, QuickTime top list of most vulnerable Windows appsSoftware products marketed by Yahoo and Apple have topped the list of the most vulnerable Windows-based applications in 2007, according to endpoint security vendor Bit9.

The list, available here (registration required), focuses on popular, widely deployed Windows programs that are often very difficult for an IT department to locate or patch and, as Bit9 explains, "represent unexpected and unquantified vulnerabilities in an enterprise IT environment."

[Gallery: Ten free security utilities you should already be using ]

Yahoo's standalone IM client, which has been riddled with security holes all year, is #1 on the list. The buggy Yahoo Widgets software also makes an appearance at number 9.

Apple's QuickTime media player and iTunes music download software also feature high on the list.

Strangely, Microsoft does not feature heavily on the Bit9 list. In fact, a Microsoft product appears only once on the list -- Windows Live MSN Messenger at #4.

The Bit9 explanation:

The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same cannot be said for apps like Firefox, iTunes, and other packages.

That does make sense but it's hard to imagine Internet Explorer 6, the world's most widely used -- and heavily targeted -- browser, not making an appearance on this list.

I could also make the argument that Microsoft Word, which has struggled with zero-day attacks and multiple code execution hole, should be high on any list of most-vulnerable Windows apps.

Here's the top-ten from Bit9:

  1. Yahoo! Messenger and earlier
  2. Apple QuickTime 7.2
  3. Mozilla Firefox
  4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
  5. EMC VMware Player (and other products) 2.0, 1.0.4
  6. Apple iTunes 7.3.2
  7. Intuit QuickBooks Online Edition 9 and earlier
  8. Sun Java Runtime 1.6.0_X
  9. Yahoo! Widgets 4.0.5 and previous
  10. Toolbar and previous

As I always recommend for Windows users, be sure to scan your system for security holes and apply all the necessary patches. Secunia's free Web-based software inspector is a great place to start. A downloadable version is also available.

Topics: Mobility, Apple, Windows, IT Employment, Software, Security, Operating Systems, Microsoft, Hardware, CXO, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Look at the conditions that were the criteria for the list

    You made some mentioned this, but the reason why IE and Office are not on this list is because they are well known to be threats and are already inside most companies, so there are already being protected. These other apps tend to slip below the radar.

    This makes a lot of sense. It's far harder to compromise systems when admins are looking for the attack, even with an open vulnarability. When you don't know about it is when you get hit.

    Attacks against Windows, IE and Office are well known. It's neccessary to kind in mind lesser known attack vectors.
    • It's not because they're "well known" attack vectors

      Windows/IE and Office are not on the list because their patching can be centrally managed by an administrator. The software on the list cannot be and must be patched manually.

      This is a huge strength -- despite possibly large quantity and/or high severity of Windows/IE/Office flaws, ease of patch deployment is a huge point in Microsoft's favor. It's something that the other software on the list lacks.
  • RE: Yahoo Messenger, QuickTime top list of most vulnerable Windows apps

    Mac applications for Windows can figure this one out...
  • Mac for Windows

    Mac application for Windows... you can figure this one out yourself
  • You left out the most notorious app of all...

    That annoying mouse pointer. When it clicks on a nefarious email attachment, or clicks on a web link to, then all manner of mayhem ensues. Something really must be done to control this restless evil, the mouse pointer!!
    • Is that real...?

      Is that a real website?
      lol anyway...
      He's right you know
      Everything is the fault of the mouse
      Wonder if an OS with no mouse will come out one day...
      • Not real

        The website is not real - I just made it up to make the point that the mouse pointer seems to just click on bad web sites and cause a lot of problems. :)

        Demonstrating absurdatey by being absurd...
        • Umm

          I don't think he really thought that was a real website, dude...
          • Yeah, I know...

            I was just trying to be friendly, that's all...
  • Hmmm, is Real Player an app or a virus itself?

    Because it has holes you can drive a truck through.
    • Yes, good pick

      RealPlayer is another one. I'd put that on any top ten "worst" list.

      Ryan Naraine
    • It probably isn't on the list...

      ...because most of us have already removed it, system wide.
  • Interesting non MS apps are now providing all the ways into the O/S

    Its interesting that the number of non MS apps are providing big holes for hackers...MS is trying to secure the O/S shame other vendors dont take this as seriously, apple being in there doesnt surprise me one bit BTW!
  • I love apple but...

    If they are going to be successful in the future, in the
    (empashised) long-term (/e) they need to stop being
    cocky about several things, one of which is security.

    Just because apple has a platform that isn't attacked
    by viruses - it doesn't mean that when they port an
    application that was built on that platform to another,
    is going to be perfect, yet apple assumes that it will
    be. If they want to live up to their cocky claims of
    perfection across their entire product portfolio (which
    is not the case - the ipod hifi, apple tv, mac mini) they
    better try hard, and apart from their industrial and
    user interface design (what they are known for) apple
    is not perfect.

    Apple - please stop being cocky and employ some
    security technicians.
    • correction

      i didnt wish to imply apple has perfect industrial and UI design.

    • I agree. There is irony here

      as you mention. Apple has a nice OS, if you dig deep and look at the kernel however you find things are not really that secure. In fact Vista is proving to be more secure based on multiple metrics. But with that stretch of not getting hit hard, at least that anyone is aware of, i think you are right and they tend to think their code is bulletproof. <br>
      The irony is Microsoft takes the heat for security when it's often the apps and Apple has the number 2 and number 6, out of the top 10. quite a distinction and ironic for Apple to have 2 of the very worst apps in terms of security.
      I often wonder if Apple is more about shrewd technology choices and licensing than their own development. Seems that way based on much I've read.
      • It's not the apps, it's the OS

        With Apple, it's their OS that supplies the security. That's how it should be. App
        developers should not have to worry about security. The OS should see to it that the
        computer is secure, no matter what apps are run on it. For starters, apps should not
        need root permissions, such as many, if not most Windows apps must have.
        • you seriously cant be a software developer

          can you?
  • Firefox is one of the most vulnerable browser

    Firefox is one of the most vulnerable browser
    • IM not to smart ?

      could you elaborate on that or provide facts
      not related to the MS operating system.

      your reply is greatly anticipated...
      not of this world