Scareware?

"5) Enforce application controls using Bit9 Parity."

I think I see the point of this now. All it needs to complete it is a popup that says "Your computer is compromised by Firefox! Click here to allow Bit9 to help you!"

What a load of idiots

Number 1 should be Internet Exploder. Me thinks this might be a M$ sponsored list.

"Bit9 trolls for publicity"

And gets it courtesy of a slow news day for El Reg. Pressreleasetards, all of you. The shame of it.

Where's the Windows?

I see no mention of that pit of threats called Windows. They can't have excluded it because of its Automatic Updates because you can turn it off. If it wasn't for Citrix and Messenger I'd say these people are Microsoft shills

Software that's hard to detect

What? I bet the majority of these companies won't give their users administrator rights anyway so the only way that most of them can be installed is by a technician, and even then a fair few of these companies will be running auditing software on the PCs anyway.

Even if they're not, it's not as if it breaks the bank...

http://www.ocsinventory-ng.org/

Mine's the one with the Ladybird book of 'The Three Billy Goats Gruff' in the pocket.

Rob

Let's here a resounding "huh?"

Looks more like a list of the most 'popular' (as in common?) programs loaded on a PC?

What are they on?

Even their press release has it all wrong...

"Apple iTunes, versions 3.2 and 3.1.2" are listed in the Top 12, yet v3 was released way back in 2002, and iTunes wasn't even available for Windows until v4.1 in October 2003.

Not exactly totally wrong though.

With poster childs for insecurity like Adobe Flash, Java JRE, Quicktime and Messenger, the list is not exactly wrong. Exclusion of IE is damning though.

Oh dear...

Symantec and Trend are threats to our security? Well that kind of defeats the point, doesn't it? ;)

My office has Trend on all its PCs... I'd better go round uninstalling it from every machine, pronto! And I'll get rid of that Firefox too, if it's such a security risk. If these guys think I'm safer with IE just because I can update it centrally, they must know what they're talking about!

I love a good giggle on a Friday afternoon :D

Paris, because she should always appear on a list of things that could cause your end-point to become infected...

Patchlink?

A bunch of these applications - Firefox, Flash, Acrobat Reader, Java, Quicktime, Windows Messenger, etc. all can be updated if you're using a product like Patchlink. It'll patch Real Player as well. There are other products in this space as well - VMware Update manager is one of the other products integrated into Virtual Center.

They're right that some of these companies need to pay more attention to providing update tools and mechanisms, but if you care and can drop a bit of cash on the problem, it's largely solvable, without having to tell your users they can't put anything on the computers. However, you need to buy someone else's product, not the Bit9 whitelisting solution.

Publicity Stunt

"as the little-known Bit9 suggests"

Yeah, little known until they create a controversial (or 'daft' as El Reg puts it) report that everyone over reacts to and makes Bit9 the 'best known' overnight. Bit like the X-Factor, it doesn't matter if you're shit, you just need air-time!!

Well done El-Reg for the assist!!

er, what?

So these products fall into

a) free

b) consumer oriented that shouldn't be anywhere near a acorporate desktop

or c) security products whose updates a corporate IT team should be controlling, and mandating on a regular basis

WTF are bit9 on about?

No IE ?

And yet IE didn't make it onto the list?

There is a Solution!

You failed to mention that anyone worried by these security holes can easy resolve the problem by deploying "Bit9 Global Software Registry" - so clearly Bit9 are performing a valuable public service by letting us know about these problems, and not just trying to sell something!

Speaking of top threats

I've recently published a paper concluding a years worth of security research that lists the top threats we discovered. The paper is not available on the internet, because we believe that that would defeat the purpose of the paper. However, I can tell you the top 5 threats we discovered, which will make it apparent to you why we did not release it.

1) The internet - Source of 100% of internet transmitted viruses

2) The internet - Number one source of email spam

3) The internet - 100% of DDoS attacks on website occur on the internet

4) The internet - We have discovered indisputable proof that all internet related crime occurs on the internet.

5) The Register - Makes people like you have to read lists like mine.

Ho ho ho, meeeery christmas!

"Often running outside of the IT department’s knowledge or control"

If your corporate desktop policy allows users to install and run any old toss they download off the web without asking you, your security is already fucked way beyond these moron's ability to help you.

Nice try though, and I can imagine a lot of over stressed "IT managers"* in SMEs buying into it if they think it will stop their idiot users whining at them. Might even be worth it, just for that.

*E.g. those who have somehow found themselves in charge of an IT infrastructure that they are neither competent, nor sufficiently resourced, nor empowered by policy, to manage properly. E.g. almost all of them. I worked with a guy once who was in this position and re-wrote the org's security policy so that the security of the individual PC was the responsibility of the user, rather than the IT function, just to get around this kind of thing, neat hack.

Whitelisting...

"whitelisting firm Bit9"...

Perhaps these are the vendors who don't play ball with Bit9's whitelisting technology? As in, this is the "these are the jerks who change their stuff without telling us," list. This, of course, depends on if the Bit9 whitelisting stuff can tell the difference between, say, Firefox version <hackable>, and Firefox version <current>.

"Often running outside of the IT department’s knowledge or control, these applications"...

Oh, so that would mean to find these horrible, ghastly, applications, we need what, exactly? Oh, I already forgot, "whitelisting firm Bit9".

I can see where they're trying to go with this, but I can't quite wrap my head around the conclusions. This is obviously something that was conceived by, driven by, and finalized by, a group of marketing types.

Mine has the "Byte Ate" logo on the back...'cause I'm retro.

So, how much did M$ pay them...

...for bashing Firefox?

Wow - a lot of comments are out of touch

The reading comprehension failure in some of these comments is entertaining. The reason why IE isn't on here is because Microsoft has provided an automated update process for patching IE. Since the list is supposed to be of apps that DON'T provide an automated update process, IE isn't on. Sorry conspiracy theorists.

Yes, Bit9 is making this announcement for financial gain, but it still doesn't change the fact these apps do represent a threat. Is Bit9's premise a bit over the top? Again, yes, but there is a solid foundation of truth to it, and that shouldn't get lost in the reactions here.

I'm a Firefox user, but even I acknowledge that Mozilla's update process for FF leaves a lot to be desired. It's much better than others listed, but still has some issues. Some instances of FF will take days to pick up an update after it's been released.

Adobe Acrobat reader is not exactly a consumer only-oriented app. I think you'll find a vast majority of businesses use it.

Meanwhile, the apps identified (although unsure about VMware's inclusion at the same level of others) continue to represent a real threat to corporate networks, as they are typically targeted by automated exploit attempts for drive-by downloads, most of which are not detected by traditional AV and malware defenses. Some of the attitudes expressed in the comments would explain the continued success of the botnets. Some of you holding belief in traditional AV as a savior is disturbing, really. You're railing against Bit9's marketing ploy, but at least theirs has some good to it. The traditional AV marketing some of you are still embracing will ultimately do you harm. Time to wake up to the realities of the current threat landscape.

Some accuracy, some not

# Mozilla Firefox

Nope, sorry. Firefox has had vulnerabilities but 80+% of those affected almost all browsers, including IE.

# Adobe Flash & Acrobat

Yes, this one's good. Flash & Acrobat have had tons of security vulnerabilities in the last year alone. It's one of the reasons why I stopped using Acrobat Reader and switched to Foxit (the other being that Acrobat is bloated as feck).

# EMC VMware Player, Workstation and other products

VMware's had some bugs, but nothing really damning as security issues. Anyone remember that bit of dodgy code that was left over that prevented VEs from booting after a particular date?

# Sun Java Runtime Environment (JRE)

Yes, but not that bad. Sun's been getting a lot better about patching.

# Apple QuickTime, Safari & iTunes

Yes, yes, yes. Apple's had tons of security issues with just QuickTime and Safari in the last 6 months alone.

# Symantec

No real "security" issues but there's serious issues with stability, resource management and performance. I would call it more of a security inconvenience than a threat.

# Trend Micro

Anyone take these guys seriously anymore?

# Citrix Products

# Aurigma, Lycos

I haven't heard of either of these in so long, dunno how they were scraped onto this list.

# Skype

Skype has the /capability/ to be a security risk but there's no outstanding vulnerabilities for it.

# Yahoo! Assistant

Possibly.

# Microsoft Windows Live (MSN) Messenger

Yes, any IM program is a security risk in a corporate environment (unless you only allow for corporate IM). All it takes is for one pud to click a spammed link and release a worm into the network.

I have one thing to say about this list

HAHAHAHAHAHAHAHAHAHAHAHAHA

*breath*

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

Ok that was funny, now who the fuck are these guys?

re: a few just don't get it

"Firefox 3 has had 4 updates. Last I checked, IE had maybe 5 updates all year."

Excuse me but could you possibly explain WTF you've been smoking and where we can all get some? You haven't noticed the "Critical security update for IE7" entries nearly every patch Tuesday? I can't give you a precise count at present but 5 is definitely WAY too low by at least a factor of 10!

I'll run

Firefox fanbois are as bad as Jesus phone ones. You're NEVER allowed to say anything against their beloved 'visually styled by a 4 year old on acid' browser.

Automatic nonsense

Hmm, not only to bit9 seem to be scaremongers, they don't even know their facts.

Acrobat, Firefox, the JRE, Quicktime, Safari can all be centrally updated using SMS or whatever.

Citrix and vmware are /not/ consumer products!!!

How many corporate lans allow MSNmesseger or Skype to be installed?

The corporate AV products from Symantec, Trend Micro can certainly be centrally administered - and which corporates are letting users manage their AV solution themselves?

If either of the last two points applies, the company has far far bigger problems than a few possible out of date security patches.

Oh, and Lycos is a website, guys.

Ahem what OS

Very good report with no mention of the shafter of all Microsoft from the s/w list i presume they mean Firefox running on windows ?

as I have always said its not the software but the underlying OS thats most at fault here. keep on trolling