Vulnerable applications that fail to lend themselves to updating through corporate tools are creating a security gap, according to a ludicrous list from whitelisting firm Bit9. Bit9's list of "threats in plain sight" names Firefox at the top of a "Dirty Dozen", essentially because it's both popular and has been the subject of …
"5) Enforce application controls using Bit9 Parity."
I think I see the point of this now. All it needs to complete it is a popup that says "Your computer is compromised by Firefox! Click here to allow Bit9 to help you!"
What a load of idiots
Number 1 should be Internet Exploder. Me thinks this might be a M$ sponsored list.
"Bit9 trolls for publicity"
And gets it courtesy of a slow news day for El Reg. Pressreleasetards, all of you. The shame of it.
Ah, but this is for the corporate environment
Remember that in the corporate environment, the end-user doesn't have the option to update, and usually wouldn't have the inclination to update if they could! I've had one of these applications constantly bug me to install updates, when I can't. So, it involves a call to IT to log into my machine and fanny about.
Remember also that overnight managed updates are preferred where possible (i.e. on any desktop machine as it remains plugged into the network after everyone's gone home). IT need to retain the ability to schedule updates for different times as needs change and to dynamically balance out network traffic.
So, an auto-update feature built into an application is useless on the first count, and inflexible on the second count. Centralised updating is the only sensible option, and for this, these apps fail.
Where's the Windows?
I see no mention of that pit of threats called Windows. They can't have excluded it because of its Automatic Updates because you can turn it off. If it wasn't for Citrix and Messenger I'd say these people are Microsoft shills
Software that's hard to detect
What? I bet the majority of these companies won't give their users administrator rights anyway so the only way that most of them can be installed is by a technician, and even then a fair few of these companies will be running auditing software on the PCs anyway.
Even if they're not, it's not as if it breaks the bank...
Mine's the one with the Ladybird book of 'The Three Billy Goats Gruff' in the pocket.
Let's here a resounding "huh?"
Looks more like a list of the most 'popular' (as in common?) programs loaded on a PC?
So, did microsoft buy Bit9 or just bribe them? Basically this looks like a hate list more accurately described as the most populate PC programs not written by microsoft. (apologies for implying that M$ has written anything that IS popular)
The only real surprise in this list is the hated Symantec. They love to replace their busted-ass software with even more busted-ass software. And our PCs are configured such that we can't stop it no matter what. Of course since it's what passes for AV on our systems I probably wouldn't; but Damn, I thought these guys were in bed with every PR firm on earth! Maybe this alone is enough to prove Bit9 is a real nobody?
What are they on?
Even their press release has it all wrong...
"Apple iTunes, versions 3.2 and 3.1.2" are listed in the Top 12, yet v3 was released way back in 2002, and iTunes wasn't even available for Windows until v4.1 in October 2003.
Not only are the conclusions faulty, but the "facts" are innacurate
I administer my corporate network and we use a number of these apps on our computers. I roll out these products and updates to the client PCs using Active Directory managed software installations (we are a fairly small company so don't bother with SMS, but if it can be done in AD, then I am led to believe that it can be done in SMS).
All you need is the MSI which can often be extracted from the executable installer (Java, Adobe Reader) or is provided for download directly from the manufacturer (Flash players, Skype). And of course for the open source packages you can roll your own MSI if you so desire (a company called frontmotion does this for Firefox and has them available for download).
The problem with these apps
Is that most organisations install them but either because of restrictions on the firewall/proxy or lack of permissions on workstations, users cannot update them and they just sit there getting older and older.
If not full function enterprise administration, how about engineering these apps so standard users can update them - would make a huge difference
One of the main reasons I avoid both iTunes and Acrobate Reader are the auto-update features. In fact, wasn't there are huge fuss a few months ago when the iTunes auto-updater went and installed Safari on Windows systems without asking - even though the EULA states that you aren't allowed to install it on non-mac hardware?
To be honest the EULA for itunes is not to be used within a corporate environment but how this works with them pushing the Jesus phone as corporate option I don't know. I think the clause is left in there so apple have the right to sue you if they feel like it.
It clear though that these guys don't have a clue as any IT dept worth its coffee knows that Adobe is normally a huge risk.
Not exactly totally wrong though.
With poster childs for insecurity like Adobe Flash, Java JRE, Quicktime and Messenger, the list is not exactly wrong. Exclusion of IE is damning though.
I know I slept in this morning....
but until April 1st? WSUS updating iTunes?
What next? Fuhrer Brown standing down and calling an election early next year?
I want some of what they are on and will pay top dollar cos it has to be the good stuff
Symantec and Trend are threats to our security? Well that kind of defeats the point, doesn't it? ;)
My office has Trend on all its PCs... I'd better go round uninstalling it from every machine, pronto! And I'll get rid of that Firefox too, if it's such a security risk. If these guys think I'm safer with IE just because I can update it centrally, they must know what they're talking about!
I love a good giggle on a Friday afternoon :D
Paris, because she should always appear on a list of things that could cause your end-point to become infected...
always good to have a laugh on a friday afternoon!
Ah yes, of course its Firefox's fault....
Only yesterday I had someone ask me if it was possible to block the download of Firefox because users were using it to bypass the proxy.
I pointed out that their firewall should be set so that people bypassing the proxy could not get out to the web at all.
You'd have thought it was obvious wouldn't you?.....
The first question I find myself asking is...
...what are they selling?
Anyone would think the report was written by a rival vendor...
A bunch of these applications - Firefox, Flash, Acrobat Reader, Java, Quicktime, Windows Messenger, etc. all can be updated if you're using a product like Patchlink. It'll patch Real Player as well. There are other products in this space as well - VMware Update manager is one of the other products integrated into Virtual Center.
They're right that some of these companies need to pay more attention to providing update tools and mechanisms, but if you care and can drop a bit of cash on the problem, it's largely solvable, without having to tell your users they can't put anything on the computers. However, you need to buy someone else's product, not the Bit9 whitelisting solution.
"as the little-known Bit9 suggests"
Yeah, little known until they create a controversial (or 'daft' as El Reg puts it) report that everyone over reacts to and makes Bit9 the 'best known' overnight. Bit like the X-Factor, it doesn't matter if you're shit, you just need air-time!!
Well done El-Reg for the assist!!
So these products fall into
b) consumer oriented that shouldn't be anywhere near a acorporate desktop
or c) security products whose updates a corporate IT team should be controlling, and mandating on a regular basis
WTF are bit9 on about?
No IE ?
And yet IE didn't make it onto the list?
Are you seriously telling me IE has gone a whole year without a "critical vulnerability"? Someone should give Microsoft a cookie. Of the chocolate chip variety.
I'll promptly go an wipe all our ESX servers as clearly they are compromising the safety of the business, and switch back to IE as Firefox is clearly going to cause people to die from deadly virus infections!!
There is a Solution!
You failed to mention that anyone worried by these security holes can easy resolve the problem by deploying "Bit9 Global Software Registry" - so clearly Bit9 are performing a valuable public service by letting us know about these problems, and not just trying to sell something!
Re: Publicity Stunt
To be fair, though, the Reg is only telling Reg readers about it, and are Reg readers likely to read it and think 'hey, these guys sound like they know their onions, I will look out for them in future'? Or just have a good smirk?
Speaking of top threats
I've recently published a paper concluding a years worth of security research that lists the top threats we discovered. The paper is not available on the internet, because we believe that that would defeat the purpose of the paper. However, I can tell you the top 5 threats we discovered, which will make it apparent to you why we did not release it.
1) The internet - Source of 100% of internet transmitted viruses
2) The internet - Number one source of email spam
3) The internet - 100% of DDoS attacks on website occur on the internet
4) The internet - We have discovered indisputable proof that all internet related crime occurs on the internet.
5) The Register - Makes people like you have to read lists like mine.
Ho ho ho, meeeery christmas!
"Often running outside of the IT department’s knowledge or control"
If your corporate desktop policy allows users to install and run any old toss they download off the web without asking you, your security is already fucked way beyond these moron's ability to help you.
Nice try though, and I can imagine a lot of over stressed "IT managers"* in SMEs buying into it if they think it will stop their idiot users whining at them. Might even be worth it, just for that.
*E.g. those who have somehow found themselves in charge of an IT infrastructure that they are neither competent, nor sufficiently resourced, nor empowered by policy, to manage properly. E.g. almost all of them. I worked with a guy once who was in this position and re-wrote the org's security policy so that the security of the individual PC was the responsibility of the user, rather than the IT function, just to get around this kind of thing, neat hack.
"whitelisting firm Bit9"...
Perhaps these are the vendors who don't play ball with Bit9's whitelisting technology? As in, this is the "these are the jerks who change their stuff without telling us," list. This, of course, depends on if the Bit9 whitelisting stuff can tell the difference between, say, Firefox version <hackable>, and Firefox version <current>.
"Often running outside of the IT department’s knowledge or control, these applications"...
Oh, so that would mean to find these horrible, ghastly, applications, we need what, exactly? Oh, I already forgot, "whitelisting firm Bit9".
I can see where they're trying to go with this, but I can't quite wrap my head around the conclusions. This is obviously something that was conceived by, driven by, and finalized by, a group of marketing types.
Mine has the "Byte Ate" logo on the back...'cause I'm retro.
Almost looks like...
.. the list was written by microsoft :P
(apart from that last entry)
So, how much did M$ pay them...
...for bashing Firefox?
As Cartman might say ...
Respect my securitah!
Wow - a lot of comments are out of touch
The reading comprehension failure in some of these comments is entertaining. The reason why IE isn't on here is because Microsoft has provided an automated update process for patching IE. Since the list is supposed to be of apps that DON'T provide an automated update process, IE isn't on. Sorry conspiracy theorists.
Yes, Bit9 is making this announcement for financial gain, but it still doesn't change the fact these apps do represent a threat. Is Bit9's premise a bit over the top? Again, yes, but there is a solid foundation of truth to it, and that shouldn't get lost in the reactions here.
I'm a Firefox user, but even I acknowledge that Mozilla's update process for FF leaves a lot to be desired. It's much better than others listed, but still has some issues. Some instances of FF will take days to pick up an update after it's been released.
Adobe Acrobat reader is not exactly a consumer only-oriented app. I think you'll find a vast majority of businesses use it.
Meanwhile, the apps identified (although unsure about VMware's inclusion at the same level of others) continue to represent a real threat to corporate networks, as they are typically targeted by automated exploit attempts for drive-by downloads, most of which are not detected by traditional AV and malware defenses. Some of the attitudes expressed in the comments would explain the continued success of the botnets. Some of you holding belief in traditional AV as a savior is disturbing, really. You're railing against Bit9's marketing ploy, but at least theirs has some good to it. The traditional AV marketing some of you are still embracing will ultimately do you harm. Time to wake up to the realities of the current threat landscape.
Some accuracy, some not
# Mozilla Firefox
Nope, sorry. Firefox has had vulnerabilities but 80+% of those affected almost all browsers, including IE.
# Adobe Flash & Acrobat
Yes, this one's good. Flash & Acrobat have had tons of security vulnerabilities in the last year alone. It's one of the reasons why I stopped using Acrobat Reader and switched to Foxit (the other being that Acrobat is bloated as feck).
# EMC VMware Player, Workstation and other products
VMware's had some bugs, but nothing really damning as security issues. Anyone remember that bit of dodgy code that was left over that prevented VEs from booting after a particular date?
# Sun Java Runtime Environment (JRE)
Yes, but not that bad. Sun's been getting a lot better about patching.
# Apple QuickTime, Safari & iTunes
Yes, yes, yes. Apple's had tons of security issues with just QuickTime and Safari in the last 6 months alone.
No real "security" issues but there's serious issues with stability, resource management and performance. I would call it more of a security inconvenience than a threat.
# Trend Micro
Anyone take these guys seriously anymore?
# Citrix Products
# Aurigma, Lycos
I haven't heard of either of these in so long, dunno how they were scraped onto this list.
Skype has the /capability/ to be a security risk but there's no outstanding vulnerabilities for it.
# Yahoo! Assistant
# Microsoft Windows Live (MSN) Messenger
Yes, any IM program is a security risk in a corporate environment (unless you only allow for corporate IM). All it takes is for one pud to click a spammed link and release a worm into the network.
Seems fair to me
In a corporate environment, Adobe, all Apple software and a crap load of other stuff are a nightmare to manage without 3rd party tools.
Windows and Office can be done using a centralised management platform that is free of charge. The day Apple do that I'll be gobsmacked.
Re: Ah yes, of course its Firefox's fault...
Just blocking port 80 is one way to stop Firefox users from bypassing the proxy, another is to put a transparent proxy on the system instead, so they can still use it, think they've evaded the IE hard-wired proxy server but haven't.
a few just don't get it
People. The list is for Windows *APPLICATIONS*. So Windows itself isn't listed.
IE probably should be on the list but of late Firefox is way more buggy. What are they at now Firefox 188.8.131.52? That's 19 updates since it's release. Firefox 3 has had 4 updates. Last I checked, IE had maybe 5 updates all year.
Safari, iTunes and QuickTime are a huge mess. Probably should be #1. Seems every week there is a new bug there.
Unsure why they say Symantec and Trend Micro and not specifically their products.
MSN/Live Messenger has had [I believe] 1 update all year. Why in the top 12? Windows Media Player could of been on the list. so should WinAmp.
Don't feed the Marketing Trolls...
.. or the idiots'll keep doing stuff like this and the trademarked smiley..
Good old whitelisting
... the most efficient, flexible and reactive approach to security... (or would that be the _least_?)
The OS vendors (Apple & MS) need to take some leadership here and provide a common platform that all apps can use to provide updates. That way, all apps on a computer will be updated through one standardized (and corporate-controllable) platform. Apple has this already for their own software, but not for third-party software. MS doesn't even have it for their own stuff --- Office is updated through a different channel than Windows!
I have one thing to say about this list
Ok that was funny, now who the fuck are these guys?
re: a few just don't get it
"Firefox 3 has had 4 updates. Last I checked, IE had maybe 5 updates all year."
Excuse me but could you possibly explain WTF you've been smoking and where we can all get some? You haven't noticed the "Critical security update for IE7" entries nearly every patch Tuesday? I can't give you a precise count at present but 5 is definitely WAY too low by at least a factor of 10!
Bit9 has a point
The list consists of applications / vendors of applications which:
- have an update system in place
- which requires end-users to interact with said system
- which requires those end-users to have installation rights
- which is something end-users in a corporate environment tend not to have, for good reasons.
It's not which app has more holes to patch, but which app is more problematic to patch in a corporate environment. While IE has more holes than swiss cheese, it's actually easier to patch pushing the patch to all connected clients. With Firefox you can't.
It's why a lot of IT professionals will not allow Firefox as an alternative to IE on work pc's.
Yes! It should be riskier doing press releases
I don't agree that The Register should avoid giving more press to sleazy vendors like this.
How many IT publications take a press release like this, shuffle a few words around, and print it as a news story? Almost all of them.
The Register is one of the few that looks at the claims and says "maybe you shouldn't take this at face value". If they didn't do this, only the positive echo-the-press-release stories would be out there.
Probably refers to the Citrix VPN client, which although not commonly patched, is critical when it requires patching, and is another application which will fall off the radar unless you plan to maintain it. Which seems to be what this list is about.
Firefox fanbois are as bad as Jesus phone ones. You're NEVER allowed to say anything against their beloved 'visually styled by a 4 year old on acid' browser.
Hmm, not only to bit9 seem to be scaremongers, they don't even know their facts.
Acrobat, Firefox, the JRE, Quicktime, Safari can all be centrally updated using SMS or whatever.
Citrix and vmware are /not/ consumer products!!!
How many corporate lans allow MSNmesseger or Skype to be installed?
The corporate AV products from Symantec, Trend Micro can certainly be centrally administered - and which corporates are letting users manage their AV solution themselves?
If either of the last two points applies, the company has far far bigger problems than a few possible out of date security patches.
Oh, and Lycos is a website, guys.
Ahem what OS
Very good report with no mention of the shafter of all Microsoft from the s/w list i presume they mean Firefox running on windows ?
as I have always said its not the software but the underlying OS thats most at fault here. keep on trolling
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby