Firefox tops list of 12 most vulnerable apps

December 15th, 2008
Firefox tops list of 12 most vulnerable apps
Posted by Ryan Naraine @ 10:41 am



Mozilla’s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here’s Bit9’s dirty dozen:


Mozilla Firefox: In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.

Adobe Flash and Adobe Acrobat: Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issues” and malformed parameters.

EMC VMware Player,Workstation and other products: A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.

Sun Java JDK and JRE, Sun Java Runtime Environment (JRE):
Inability to prevent execution of applets on older JRE release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications. 10 patched vulnerabilities listed.

Apple QuickTime, Safari and iTunes: In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs. The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and denial of service involving JavaScript arrays that trigger memory corruption. Apple’s iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.

Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.

Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for remote attackers to execute arbitrary code.

Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.

Aurigma Image Uploader, Lycos FileUploader: Remote attackers can perform remote code execution via long extended image information.

Skype: Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.

Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.

Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, “change state,” obtain contact information and establish audio or video connections without notification.

See Bit9’s full report (.pdf) for information on how the list was put together, including criteria for inclusion.



http://blogs.zdnet.com/security/?p=2304

:*

it is included with the Microsoft cameras, so as usual, they put out a very complete and safe product. :puke:

Firefox patches as they go. It's open source, of course, I expect vulnerability.

IE is a big vulnerability that M$ continues to ignore - Fact is that they found a critical hole in IE today - it's so full of holes that it is not even worth it.

It's a list put together by somebody selling software management tools.

Not exactly an unbiased report.

The applications on this list meet the following criteria.

6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.

i believe most popular open-source projects respond more quickly to security threats (and other issues) than the big boyz... at least that has been my experiance.

t

should I be worried? is that what the article is trying to imply?

as there aren't nearly as many attacks designed for macs... thats' one of the main reasons that i insist my family all run macs... if i gotta fix'm i get to chose the platform ;)

StudsT

It actually updated today and yea I heard macs are safer but I just could never get used to a Mac. The whole set up is weird to me, I guess I've always used a PC so that's just what I'm used to.

and as long as you stay on top of your updates with MS you should be good, too =)

StudsT

Seems beyond stupid to call something the most vulnerable by how many critical patches it has released. The most vulnerable probably doesn't even patch the holes. Firefox releases patches regularly and if you use it you get the patch. And by the list definition it doesn't include any MS Apps which have the worst track record of having vulnerabilities and not getting them patched.

sweepstakes, followed closely by Outbreak Express...

They should just lump that stuff together and call it 'Microsoft Petri Dish' and get it over with.

i'm screwn, right?

dp

I wonder why this story got pushed today.

Whatever could it be?

I just can't guess.

It's been said before, and it's been ignored before, so I'll say it again and let it be ignored again.

OpenSource software, almost by definition, has a higher rate for patched vulnerabilities, and with active packages backed by a dedicated team of developers, those vulnerabilities (the critical ones) are patched as quickly as possible.

Yes, Firefox has vulnerabilities. Every software package on earth that's more complicated than "Hello, World" has some sort of problem with it, and the vast majority of them aren't patched at all because they have no one working on them. Others, in particular closed source applications, patch infrequently, and many of these packages only fix such problems in subsequent version you end up having to pay for.

The criteria for this is just ridiculous. "Fixed" vulnerabilities somehow equates to "most vulnerable." A different editor might look at this and see one of the top 12 "developer teams most dedicated to fixing critical security flaws."

You know how they do around here anonymous171 :)

http://noscript.net/