Bit9 Identifies 'The Dirty Dozen' - 2008's Most Popular Applications With Critical Security Vulnerabilities

Reputable programs found vulnerable; security gaps often left unaddressed

December 11, 2008

3 Min Read


December 11, 2008 " Waltham, Mass. Bit9, Inc., the pioneer and leader in Enterprise Application Whitelisting, unveiled its annual ranking of popular consumer applications with known security vulnerabilities. Often running outside of the IT department's knowledge or control, these applications can be difficult to detect; they create data leakage risk in endpoints that are otherwise secure; and cause compliance breaches that can result in costly fines. The list, published in a research brief entitled "2008's Popular Applications with Critical Vulnerabilities," is designed to highlight the need for greater visibility and control over organizations' endpoints, including laptops, PCs, servers and Point-of-Sale systems.

The list this year expanded to include 12 applications, up from 10 last year, due to the increase in vulnerabilities and the popularity of applications such as Skype and Yahoo! Assistant that are often used by employees within an enterprise.

Five of the top 12 applications with known vulnerabilities include: Mozilla Firefox, versions 2.x and 3.x Adobe Acrobat, versions 8.1.2 and 8.1.1 Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1 Apple iTunes, versions 3.2 and 3.1.2 Skype, version

Each application on the list has the following characteristics: Runs on Microsoft Windows. Is well-known in the consumer space and frequently downloaded by individuals. Is not classified as malicious by enterprise IT organizations or security vendors. Contains at least one critical vulnerability that was: o first reported in June 2008 or after, o registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS). Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists. The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.

"Year after year, we see a growing number of applications within the enterprise creating security vulnerabilities that are easily prevented through better visibility across endpoints, and a more centralized patch-management process," said Harry Sverdlove, chief technology officer, Bit9, Inc. "2008 has been no exception. This year, along with the widely reported huge increase in malware, the number of well-known applications causing security problems for companies has also increased. Our annual ranking now covers 12 applications, up from 10 last year."

To read the full list of applications, which includes products from Symantec, Yahoo!, Trend Micro, Sun Microsystems and more, visit here ( to download the research note. With this note, IT managers can learn more about the application vulnerabilities, along with the benefits of using application whitelisting, a proactive approach to endpoint security.

About Bit9, Inc.

Bit9 is the pioneer and leader in enterprise application whitelisting. The company's patented application control solutions ensure only trusted and authorized applications are allowed to run, eliminating the risk caused by malicious, illegal and unauthorized software. Unlike traditional, reactive controls that try to scan and prevent the never-ending list of unauthorized software, Bit9 leverages the Bit9 Global Software Registry -- the world's largest database of software intelligence - to ensure only authorized applications can run, delivering the highest levels of desktop security, compliance, and manageability. Bit9 customers include companies in a wide variety of industries, such as retail, financial services, healthcare, e-commerce, telecommunications, as well as government agencies. Founded in 2002, Bit9 is privately held and based in Waltham, Massachusetts. For more information, visit or call +1 617.393.7400.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights