Last week Bit9 presented its list ‘The Dirty Dozen’ – 2008’s Most Popular Applications with Critical Security Vulnerabilities. More or less a list of applications that pose critical security threats to companies. The list itself has caused quite a debate and many were surprised by some of the applications listed. Especially the program at the top of the list, Mozilla Firefox, has surprised many, but also the security company Symantec and its Norton products on 6th place. The list looks as follows:
- Mozilla Firefox
- Adobe Flash & Acrobat
- EMC VMware Player, Workstation, and other products
- Sun Java Runtime Environment
- Apple QuickTime, Safari iTunes
- Symantec Norton products
- Trend Micro OfficeScan
- Citrix products
- Aurigma and Lycos image uploaders
- Yahoo Assistant
- Microsoft Windows Live Messenger
Worth mentioning is that the list only covers applications that can not be updated via a centralized update service, like Microsoft SMS and WSUS.
That the list has been questioned shouldn’t surprise anyone really. Mozilla even went out and strongly denied that its browser would be a security threat to companies.
It focused on one of the criteria for ending up on the list in the first place; the lack of centralized updates. ”Bit9 seems to understand (the need for smarter metrics) in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released.”
Most certainly, we haven’t heard the last of this as the discussion on which applications employees should be allowed to use never ends.