10 Most Vulnerable Software Apps of 2009
Summary: According to whitelisting vendor Bit9, these are the most vulnerable software applications in 2009. The critical vulnerabilities found in these programs could be exploited by malicious hackers to take complete control of a Windows computers.
Image 1 of 10
Vulnerabilities that allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E. allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via (1) a crafted Flash application in a .pdf file or (2) a crafted .swf file, related to authplay.dll, as exploited in the wild in July 2009.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
JUst a computer.
RE: Trillian (10 Most Vulnerable Software Apps of 2009)
Why aren't IE and Outlook there?
these threats only apply on Windows. If so, then why on Earth
are not the two worst culprits in computer history, IE and
Outlook, there in the list?
Perhaps you just "forgot"?
2009
I find it interesting to note that beyond Adobe, infamous offender for the last few years, Firefox and Apple are taking a beating. So much for Open source = secure, or Apple = perfect which have become mantras in the last few years.
At the end of day, it's all just software, and you win some, you lose some.
Different approach to bugs
You are forgetting something....
OSS software bug reporting and proprietary bug reporting practices have been consistent over the years. Since they have been consistent, then the OSS software (Firefox, etc.) have increased vulnerabilities *In Spite Of* being open. If this is indeed the case, then the OSS increased vulnerability is NOT due to its Openness. Or, put more clearly, "If They've ALWAYS been Open-source, why are vulnerabilities increasing?"
Similarly: It's admirable that Microsoft is not on this list. While some people may say it's only because its proprietary and hidden, that's can't be the reason. It's proprietary status hasn't changed, and over the last decade, people have had NO problems finding vulernabilities with the source code not available.
Last observation: People fled IE to Firefox with the main argument is "it's more secure". Those were the ads I saw, those were the stories I've read. It was in the New York Times. It's interesting that those same authors are suddenly silent when Firefox has more exploits out there than IE. And I doubt people are going to switch back to IE due to security. Interesting.
Funny how the real numbers on OS adds up
X-Force tracks vulnerabilities by platform and has produced metrics this year
to show the operating systems with the most disclosed vulnerabilities. The
following chart shows the operating systems with the most vulnerabilities
documented in 2008. The top ten operating systems account for nearly 75% of
all vulnerability disclosures affecting operating systems.
Operating System Percentage
Apple Mac OS X Server 14.3
Apple Mac OS X 14.3
Linux Kernel 10.9
Sun Solaris 7.3
Microsoft Windows XP 5.5
Microsoft Windows 2003 Server 5.2
Microsoft Windows Vista 4.1
Microsoft Windows 2000 4.8
Microsoft Windows 2008 4.1
IBM AIX 3.7
Others 24.9
Table 7: Operating Systems with the Most Vulnerability Disclosures, 2008
Several operating systems have remained in the top five list over the past three years:
? Apple Mac OS X
? Apple Mac OS X Server
? Linux Kernel
Isn't that from the honeymonster FUD IBM report
Do you really think your scare tactics are going to drive everybody back to using only Windoze?
Get a GRIP, Guy!
C'mon, if Big Blue was shilling this list, AIX wouldn't even be IDENTIFIED on it!
Windows will NEVER be a PERFECT OS; neither will Mac's OS, or LINUX, or ANY non-self-repairing OS (in effect, any non-sentient OS). As long as an operating system needs external programmers to adjust and modify the master code - in other words, as long as HUMANS have control of the operating system, and therefore the machinery - NO OS will be perfect. PERIOD!
So get OVER these OS Wars, children.
LOL... Talk about "grip"
lol...
~
We don't even really know if IBM even created that pdf. It has no footnotes or third party references to back up any claims it makes about Apple or Linux.
Now as to what [b]is[/b] in there, the report is pretty unflattering to M$, but that's just common knowledge so it doesn't tell us anything new. Points that honeymonster conveniently likes to leave out or not talk about. It's understandable since shills don't like to shed light on any negative aspects for their product.
~
Now maybe next Christmas when you've been a good apologist all year, Santa might leave something under the tree for you. That way [b]you[/b] won't be the one wh loses his "grip". Ok?
;)
GEE, THAT'S Funny...
Meanwhile, LOTS of people would appear to be getting overWHELMED by various attacks while running Firefox, Opera, or even more esoteric browsers on Wintel boxes, and even a few Macs are starting to get hit - probably because now that Apple is bragging more and more about how they're "so safe, so sane, and so secure," the hackers and crackers are feeling the challenge!
Hey APPLE! Anyone ever tell you NERDS the worst thing you can do is jump in the pasture and wave a RED FLAG at a bull?
But I digress. IE is like ANY OTHER Internet browser; only as secure as YOU or I make it; only as secure as we keep it. Practice safe computing, avoid obvious honey traps, and you won't get stung. Or at least, not as often. MONITOR your e-mail, and you're going to be safer, too.
Yeah, I know, I sound like your sainted Grandmother. So what? She was smarter than you want to admit, wasn't she? Tough. Live with it.
The cold, hard truth
source companies fix their bugs secretly is one
of the worst myths in OSS.
Security vulnerabilities are disclosed because
they are being <i>patched</i>. Some customers
(notably enterprises) want's to know
<i>exactly</i> why they need to apply a patch.
They need to know what would be the risk if
they block a certain patch in the name of
stability. Hence, they need to know what
vulnerabilities are being patched what the
possible impact is.
That is why Microsofts security bulletins are
so detailed, much more so than the typical open
source bulletins.
In fact, products like Firefox <u>contain more
vulnerabilities</u> than what is being counted
on e.g. Secunia. The reason: Mozilla will
routinely treat patches in <i>underlying</i>
libraries as a <i>single</i> FF vuln, even
though the libraries patched <i>multiple</i>
vulnerabilities.
In the case of Linux, Mr. Linus Torvalds has
publicly stated that he does not see any reason
to label his fixes as security-related. Alas, a
number of Linux vulnerabilities will be fixed
but never reported as being security related.
<b>The cold hard truth</b> - as noted by
practically all security researchers - is that
Microsoft has done a tremendous job of security
in their products since the inception of Secure
Development Lifecycle (SDL).
<b>The cold hard truth</b> is that security and
stability (which FF has also lacked lately.
Strike that. Which FF has *always* lacked) is
closely related to the quality control of the
vendor. Not whether it is open source or not.
And Mozilla is lagging on quality control.
Uh, Firefox is more stable than IE
less stable than IE is not a cold hard truth...
it's an outright goddamned lie!
As to 'security' in Firefox? Since it isn't
part of the OS, it's pretty secure just by
virtue of that!
And, with things like NoScript and AdBlock
(which block the three most common ways that
people get Firefox to run arbitrary code!)...
it's bulletproof.
That's Telling 'Em!
Memory corruption bugs
memory. Since their 3.x branch there has been a
very high number of memory corruption bugs,
many of them exploitable.
Like this: http://www.mozila.pl/blog/mozilla-
fixes-hundreds-of-firefox-memory-leaks/
Mozilla denies for the longest time that they
had a problem.
Firefox is still a little too crash-happy.
Mozilla still fixes memory corruption bugs with
each release. If there was no problem, what
exectly are they fixing.
More alarmingly, they seem to introduct *new*
memory bugs in newer releases. Their new JS
engine apparently still needs some work.
Short memory
This is from Nov. 7 <i>this year</i>:
http://www.computerworld.com/s/article/9140498/
Mozilla_fixes_Firefox_crash_bug?
source=rss_security
<i>"We're seeing <b>lots of crashes</b> in the
GIF decoder," noted Mozilla developer Joe Drew
in the message that kicked off the discussion
on Bugzilla
Firefox 3.5.5 also fixes a <b>stability bug</b>
in the Mac version, and <b>another crash
problem</b> in the Windows and Mac editions.
</i>
But I should probably take your anecdotal
evidence over an official statement from
Mozilla?
But I'm sure it's ok now. It's been, what,
almost 1 1/2 month?
It is ok to be a fan of Mozilla/Firefox. But
please don't make it into something that it
isn't. Firefox users have experienced the
crashes <i>en masse</i>. It is no secret, so
stop pretending.
Convince yourself
ignore ALL the evidence to the contrary.
Bulletproof lmao
What evidence?
Show me one piece of software that doesn't...
It's been about 9 months since Firefox crashed on me. As far as I'm concerned, that's not a bad record.
OSS?
If you are killed, it does not matter who killed you, as it matters ...