/>
X

10 Most Vulnerable Software Apps of 2009

According to whitelisting vendor Bit9, these are the most vulnerable software applications in 2009. The critical vulnerabilities found in these programs could be exploited by malicious hackers to take complete control of a Windows computers.
ryan-naraine.jpg
By Ryan Naraine, Contributor on
376429.jpg
1 of 10 Ryan Naraine/ZDNet

Vulnerabilities that allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E. allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via (1) a crafted Flash application in a .pdf file or (2) a crafted .swf file, related to authplay.dll, as exploited in the wild in July 2009.

376430.jpg
2 of 10 Ryan Naraine/ZDNet

Does not properly remove references to destroyed objects during Shockwave Flash file processing, which allows remote attackers to execute arbitrary code via a crafted file, related to a “buffer overflow issue.” Allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to a “privilege escalation vulnerability.” Allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, related to a “null pointer vulnerability.”

376431.jpg
3 of 10 Ryan Naraine/ZDNet

Allows remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption, related to an “invalid string length vulnerability.” Array index error in Adobe Shockwave Player before 11.5.2.602 allows remote attackers to execute arbitrary code via crafted Shockwave content on a web site.

376432.jpg
4 of 10 Ryan Naraine/ZDNet
The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird allows?remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code

Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file. Heap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via unspecified vectors.

376433.jpg
5 of 10 Ryan Naraine/ZDNet

Unspecified vulnerability in the JPEG JFIF Decoder in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x?before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, aka Bug Id 6862969. Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and?JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 does not properly parse color profiles, which allows remote attackers to gain privileges via a crafted image file.

376434.jpg
6 of 10 Ryan Naraine/ZDNet

Opera before 9.64 allows remote attackers to execute arbitrary code via a crafted JPEG image that triggers memory corruption.

376435.jpg
7 of 10 Ryan Naraine/ZDNet

Buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted MP3 audio file. Heap-based buffer overflow in?Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via an AVI movie file with an invalid nBlockAlign value in the _WAVEFORMATEX structure.

376436.jpg
8 of 10 Ryan Naraine/ZDNet

A DLL file in RealNetworks RealPlayer 11 allows remote attackers to execute arbitrary code via a crafted Internet Video Recording (IVR) file with a modified field that controls an unspecified structure length and triggers heap corrup tion, related to use of RealPlayer through a Windows Explorer plugin.

376437.jpg
9 of 10 Ryan Naraine/ZDNet
Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and Safari before 4.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with crafted EXIF metadata.

?Apple Safari, possibly before 4.0.3, on Mac OS X does not properly handle a?‘\0’ character in a domain name in the subject’s Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification?Authority, a related issue to CVE-2009-2408.

Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and Safari before 4.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with crafted EXIF metadata.

376438.jpg
10 of 10 Ryan Naraine/ZDNet

Buffer overflow in the XML parser in Trillian 3.1.9.0, and possibly earlier, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DTD file.

Related Galleries

Nomad Apple Watch 7 Sport Band review: in pictures
nomad-aw7-sport-band-8.jpg

Related Galleries

Nomad Apple Watch 7 Sport Band review: in pictures

8 Photos
Brydge 12.9 Max Plus keyboard review: in pictures
brydge-129-max-plus-keyboard-2.jpg

Related Galleries

Brydge 12.9 Max Plus keyboard review: in pictures

10 Photos
Nomad cases, cable, and adapter for the Apple iPad Pro: in pictures
nomad-ipad-129-pro-2.jpg

Related Galleries

Nomad cases, cable, and adapter for the Apple iPad Pro: in pictures

13 Photos
First look: Apple 'Peek Performance' event in pictures
peek-performance.jpg

Related Galleries

First look: Apple 'Peek Performance' event in pictures

35 Photos
Nomad iPhone 13 Pro Max case review: in pictures
nomad-iphone-13-pro-max-7.jpg

Related Galleries

Nomad iPhone 13 Pro Max case review: in pictures

12 Photos
Speck Apple iPhone 13 Pro Max gear: in pictures
speck-iphone-13-pro-max-2.jpg

Related Galleries

Speck Apple iPhone 13 Pro Max gear: in pictures

13 Photos
Arc Pulse case and screen protector for iPhone 13 Pro Max: in pics
arc-pulse-black-silver.jpg

Related Galleries

Arc Pulse case and screen protector for iPhone 13 Pro Max: in pics

15 Photos