Announcement

Announcement Module
Collapse
No announcement yet.

The 10 most vulnerable apps of 2009

Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • The 10 most vulnerable apps of 2009

    Tech Republic (part of ZDnet for those of you that remember it) just put up their list of the 10 most vulnerable apps of 2009, and guess what....not one of them is from Microsoft. Five of the ten are from Adobe or Apple.

    1. Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document...

    2. Adobe Flash Player does not properly remove references to destroyed objects during Shockwave Flash file processing, which allows remote attackers to execute arbitrary code via a crafted file...

    3. Adobe Shockwave allows remote attackers to execute arbitrary code via a crafted web page...

    4. Mozilla Firefox, everybody's favorite: The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code

    5. Sun Java - Unspecified vulnerability in the JPEG JFIF Decoder .... allows remote attackers to gain privileges...

    6. Opera browser before 9.64 allows remote attackers to execute arbitrary code via a crafted JPEG image that triggers memory corruption.

    7. Apple QuickTime - A buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted MP3 audio file.

    8. RealNetworks RealPlayer (an app I have always been suspect of) - A DLL file in RealNetworks RealPlayer 11 allows remote attackers to execute arbitrary code via a crafted Internet Video Recording (IVR) file

    9. Apple Safari - Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and Safari before 4.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with crafted EXIF metadata....

    10. Trillian - Buffer overflow in the XML parser in Trillian 3.1.9.0, and possibly earlier, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DTD file.

    Now MS probably had ten times as many security issues during the same time period (maybe more), but apparently the holes were not as big as the ones left by these 10 applications.

    My point...It does not matter which OS you use or which browser you choose, they are all vulnerable. Just like any lock can be picked or any encryption code cracked, any computer can be accessed if the attacker is determined enough (or lucky), so keep your guard up in 2010!

    10 Most Vulnerable Software Apps of 2009 | ZDNet Photo Gallery

    As Homer would say; "I have a feeling some bad stuff is about to go down."


    And here is a second source with info on FireFox and Safari:

    Firefox most vulnerable browser, Safari close second
    Posted on 10 November 2009. Bookmark and Share ... IBM, and Apache
    continue to be among the top 10 most vulnerable Web applications named. ...
    Last edited by Bob D.; 12-31-2009, 06:51 AM. Reason: fixed a typo
    ---------------
    Light is faster than sound. That's why some people seem really bright until you hear them speak.
    ---------------
    “If I had my life to live over again, I'd be a plumber.” - Albert Einstein
    ---------
    "Its a table saw.... Do you know where your fingers are?"
    ---------
    sigpic http://www.helmetstohardhats.com/

  • #2
    Re: The 10 most vulnerable apps of 2009

    Good info, here's some follow up on what to do with this information. Adobe obviously has a lot of security issues, and it always takes them forever to push updates to users. For those of us who use our computers for work/business it's pretty vital to be able to open .pdf files. There are some free open source alternatives to Adobe reader, I've found FoxIt reader to work the best for me. For Flash and Shockwave vulnerabilities the best protection for firefox users would be to use plug-ins like AdBlocker Plus and NoScript to give more control on what content can and can't run while browsing.

    Apple Quicktime is another install I try to avoid. If all you need quicktime for is to watch clips formatted as .mov occasionally, you could use free alternative programs such as Quicktime Alternative, or the more useful vlc player. As also in the case of the Adobe alternatives, they use much fewer resources and are not vulnerable to the known exploits.

    Comment


    • #3
      Re: The 10 most vulnerable apps of 2009

      Originally posted by Bob D. View Post
      My point...It does not matter which OS you use or which browser you choose, they are all vulnerable. Just like any lock can be picked or any encryption code cracked, any computer can be accessed if the attacker is determined enough (or lucky), so keep your guard up in 2010!
      I take issue with any encryption can be cracked, at least not without state resources. In general, good encryption is such a hard target that people just side step it. For example, they can't read the encrypted data between you and your bank so they hack the bank's server, or your computer.

      Comment


      • #4
        Re: The 10 most vulnerable apps of 2009

        I didn't say it was logical to crack it, just that I think it can be done given enough computing power and time.

        I remember when there was a contest to break the DES code. There were teams all over the world trying. I was a member of one and we each 'chewed' on bits of the code (distributed computing) and the results were collected and analyzed. The code had a hidden message embedded in it. If you could read the message then you had cracked the code and won the prise money. They had the next version all ready to go for the time when the code did get cracked. It went from 32 bit to 48 bit IIRC, the 64 bit.

        The distributed computing approach is similar to the SETI project which I also worked on for years. I ran a small 'farm' of computers (maxed out at 8 machines running 24/7 at the house) which crunching work units (looked at data for telltale signs of intelligent life in space) collected from the Arecibo Observatory , the world's largest radio telescope. There were millions of people around the world working on it the project which is still going on.
        ---------------
        Light is faster than sound. That's why some people seem really bright until you hear them speak.
        ---------------
        “If I had my life to live over again, I'd be a plumber.” - Albert Einstein
        ---------
        "Its a table saw.... Do you know where your fingers are?"
        ---------
        sigpic http://www.helmetstohardhats.com/

        Comment


        • #5
          Re: The 10 most vulnerable apps of 2009

          At this point DES is certainly crackable, the interesting thing is not only the distributed.net type approach, but the EFF approach with FPGAs (basically a specialized CPU that is microprogrammed) was able to break it in a couple of days for about $100k. Of course, modern ciphers like AES use a 256 bit key is 2^200 (roughly 1 followed by 60 zeros) times harder to break than DES (using the brute force approach).

          Because the NSA allowed AES to be used for classified data, I tend to believe that it should be pretty good. I'm also not a conspiracy nut, so I don't think they try to insert a backdoor. The changes they made to DES actually made it quite a bit stronger against differential cryptanalysis, which was not publically known at the time.

          Comment

          Working...
          X