On The Insider: Dr. Conrad Murray Returns to Work
BNET Business Network:
BNET
TechRepublic
ZDNet

November 2nd, 2007

Yahoo Messenger, QuickTime top list of most vulnerable Windows apps

Posted by Ryan Naraine @ 8:35 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Microsoft, Passwords, Patch Watch, Pen testing, Responsible disclosure, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Yahoo IM, Apple QuickTime, Yahoo! Inc., Apple Inc., Microsoft Corp., List, Secunia, Bit9, Microsoft Windows, Tools & Techniques

Yahoo Messenger, QuickTime top list of most vulnerable Windows appsSoftware products marketed by Yahoo and Apple have topped the list of the most vulnerable Windows-based applications in 2007, according to endpoint security vendor Bit9.

The list, available here (registration required), focuses on popular, widely deployed Windows programs that are often very difficult for an IT department to locate or patch and, as Bit9 explains, “represent unexpected and unquantified vulnerabilities in an enterprise IT environment.”

[Gallery: Ten free security utilities you should already be using ]

Yahoo’s standalone IM client, which has been riddled with security holes all year, is #1 on the list. The buggy Yahoo Widgets software also makes an appearance at number 9.

Apple’s QuickTime media player and iTunes music download software also feature high on the list.

Strangely, Microsoft does not feature heavily on the Bit9 list. In fact, a Microsoft product appears only once on the list — Windows Live MSN Messenger at #4.

The Bit9 explanation:

The reason most Microsoft software doesn’t make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same cannot be said for apps like Firefox, iTunes, and other packages.

That does make sense but it’s hard to imagine Internet Explorer 6, the world’s most widely used — and heavily targeted — browser, not making an appearance on this list.

I could also make the argument that Microsoft Word, which has struggled with zero-day attacks and multiple code execution hole, should be high on any list of most-vulnerable Windows apps.

Here’s the top-ten from Bit9:

  1. Yahoo! Messenger 8.1.0.239 and earlier
  2. Apple QuickTime 7.2
  3. Mozilla Firefox 2.0.0.6
  4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
  5. EMC VMware Player (and other products) 2.0, 1.0.4
  6. Apple iTunes 7.3.2
  7. Intuit QuickBooks Online Edition 9 and earlier
  8. Sun Java Runtime 1.6.0_X
  9. Yahoo! Widgets 4.0.5 and previous
  10. Ask.com Toolbar 4.0.2.53 and previous

As I always recommend for Windows users, be sure to scan your system for security holes and apply all the necessary patches. Secunia’s free Web-based software inspector is a great place to start. A downloadable version is also available.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 26 Talkback(s)
Yeah, I know...
I was just trying to be friendly, that's all... (Read the rest)
Posted by: Carrion Posted on: 11/05/07 You are currently: a Guest | | Terms of Use
Look at the conditions that were the criteria for the list  Heatlesssun1 | 11/02/07
It's not because they're "well known" attack vectors  PB_z | 11/02/07
RE: Yahoo Messenger, QuickTime top list of most vulnerable Windows apps  leoliu118@... | 11/02/07
Mac for Windows  leoliu118@... | 11/02/07
You left out the most notorious app of all...  Carrion | 11/02/07
Is that real...?  Madsmasher | 11/02/07
Not real  Carrion | 11/05/07
Umm  tikigawd | 11/05/07
Yeah, I know...  Carrion | 11/05/07
Hmmm, is Real Player an app or a virus itself?  No_Ax_to_Grind | 11/02/07
Yes, good pick  Ryan NaraineZDNet Moderator | 11/02/07
It probably isn't on the list...  itpro_z | 11/03/07
Interesting non MS apps are now providing all the ways into the O/S  groovepoint@... | 11/02/07
I love apple but...  crampy20 | 11/02/07
correction  crampy20 | 11/02/07
I agree. There is irony here  xuniL_z | 11/02/07
It's not the apps, it's the OS  arminw | 11/05/07
you seriously cant be a software developer  pcguy777 | 11/05/07
Firefox is one of the most vulnerable browser  qmlscycrajg | 11/03/07
IM not to smart ?  not of this world | 11/03/07
Firefox on Windows and Linux  DarienHawk67 | 11/03/07
Microsoft only releases its patches monthly  K B | 11/04/07
Not really...  KTLA | 11/04/07
ya when you visited class a websites right?  pcguy777 | 11/05/07
You've gotta look......  todbran@... | 11/05/07
what do you know about locking down an os?  pcguy777 | 11/05/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline