The list this year expanded to include 12 applications, up from 10 last year, due to the increase in vulnerabilities and the popularity of applications such as Skype and Yahoo! Assistant that are often used by employees within an enterprise.
Five of the top 12 applications with known vulnerabilities include:
- Mozilla Firefox, versions 2.x and 3.x
- Adobe Acrobat, versions 8.1.2 and 8.1.1
- Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1
- Apple iTunes, versions 3.2 and 3.1.2
- Skype, version 3.5.0.248
Each application on the list has the following characteristics:
- Runs on Microsoft Windows.
- Is well-known in the consumer space and frequently downloaded by individuals.
- Is not classified as malicious by enterprise IT organizations or security vendors.
- Contains at least one critical vulnerability that was first reported in January 2008 or after and is registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
- Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
- The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.
"Year after year, we see a growing number of applications within the enterprise creating security vulnerabilities that are easily prevented through better visibility across endpoints, and a more centralized patch-management process," said Harry Sverdlove, CTO, Bit9. "2008 has been no exception. This year, along with the widely reported huge increase in malware, the number of well-known applications causing security problems for companies has also increased. Our annual ranking now covers 12 applications, up from 10 last year.