Auerbach Publications

New Books

Information Security Management Handbook, Sixth Edition
How to Achieve 27001 Certification
The Terrorism Recognition Handbook

2007's Top Ten Popular Applications with Critical Vulnerabilities

Brian Gladstein

Seeking the Fully Managed Desktop
As IT professionals, we aim to provide our users with PCs that are secure and well-managed, yet flexible and adaptable. To do this, we rely on a variety of software management and anti-malware tools (see Figure 1) to provide basic - though limited - control. Unfortunately, becoming more secure has traditionally meant sacrificing business flexibility, which is almost always an unacceptable choice.


Figure 1. The gap in desktop software management

So we manage what we can, accepting that a sizable amount of software evades standard control mechanisms. That's usually software that users install on their own - sometimes for business purposes, other times for personal uses, but always outside of the realm of IT's knowledge. This invisible gray zone contains a mix of business tools, consumer applications, unauthorized software, and the latest and most undetectable malware. But for the sake of business flexibility, we keep the controls dialed down and politely deal with the inevitable mess.

One by-product of the trade-off between flexibility and security are scores of vulnerable applications throughout the environment. They are often difficult to track down and even harder to rectify. More importantly, they can stand in the way of our ability to fully and flexibly control our computing infrastructure. In today's culture of compliance, this lack of control introduces unnecessary security risk and can jeopardize both IT and business operations.

Criteria for the Vulnerable Applications List
To help IT departments understand and ultimately close this gap in endpoint protection, Bit9 has compiled the following list of applications with known vulnerabilities for the year 2007.

The applications on this list meet the following criteria. Each one:

  1. Runs on Microsoft Windows
  2. Is well-known in the consumer space and frequently downloaded by individuals.
  3. Is not classified as malicious by enterprise IT organizations or security vendors.
  4. Contains at least one critical vulnerability that was:
    • a. First reported in June 2006 or after,
    • b. Registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at nvd.nist.gov, and
    • c. Given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
  5. Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

Note that in most cases, the vendors of these applications have issued patches or other instructions for eliminating the vulnerability. But the nature of these applications is such that the user is responsible for implementing the patch. Enterprise IT organizations can not reliably ensure these patches have been properly applied - if at all - representing an inherent exposure in protecting the enterprise network.

Finally, the applications on the list have been ranked according to the popularity of the application, number and severity of vulnerabilities, and difficulty of detection and/or patching by central IT.

2007's Popular Applications with Critical Vulnerabilities

Software Version Vendor's Solution Nature of Vulnerabilities CVE Numbers
Yahoo! Messenger 8.1.0.239 and earlier Upgrade to 8.1.0.419 Buffer overflow allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2007-4515
CVE-2007-4391
CVE-2007-3148
CVE-2007-3147
CVE-2007-1680
Apple QuickTime 7.2 Patch Multiple vulnerabilities allow remote attackers to execute arbitrary commands and code crafted URLs and Java applets CVE-2007-4673
CVE-2007-2397
CVE-2007-2396
CVE-2007-2393
Mozilla Firefox 2.0.0.6 Upgrade to 2.0.0.7 for some fixes Allows remote attackers to execute arbitrary commands through specially crafted URIs CVE-2007-5045
CVE-2007-4841
CVE-2007-3845
Microsoft Windows Live (MSN) Messenger 7.0, 8.0 Upgrade to 7.0.0820 or 8.1 Heap-based buffer overflow allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving video conversation handling in Web Cam sessions. CVE-2007-4579
CVE-2007-2931
EMC VMware Player (and other products) 2.0, 1.0.4 Upgrade to 2.0.1 or 1.0.5 Allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow or corrupt stack memory. CVE-2007-0063
CVE-2007-4471
CVE-2007-0061
Apple iTunes 7.3.2 Upgrade to 7.4 Buffer overflow allows remote attackers to terminate the application or execute arbitrary code via a music file with crafted album cover art. CVE-2007-3752
Intuit QuickBooks Online Edition 9 and earlier Upgrade to 10 or patch Multiple stack-based buffer overflows in the ActiveX control allow remote attackers to execute arbitrary code via unspecified vectors. CVE-2007-4471
CVE-2007-0322
Sun Java Runtime Environment (JRE) 1.6.0_X Not found Buffer overflow in Java Web Start allows remote attackers to have an unknown impact via unexpected arguments to a method call. CVE-2007-5019
Yahoo! Widgets 4.0.5 and previous Upgrade Stack-based buffer overflow allows remote attackers to execute arbitrary code via unexpected arguments to a method call. CVE-2007-4034
Ask.com Toolbar 4.0.2.53 and previous Not found Stack-based buffer overflow in ActiveX control and Ask Toolbar allows remote attackers to execute arbitrary code. CVE-2007-5107
Broadcom wireless device driver as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter 3.50.21.10 Update driver Stack-based buffer overflow allows remote attackers to execute arbitrary code via an 802.11 response frame containing a long SSID field. CVE-2006-5882
Macrovision (formerly InstallShield) InstallFromTheWeb Unversioned No longer supported Multiple buffer overflows in allow remote attackers to execute arbitrary code via crafted HTML documents. CVE-2007-0320

What You Can Do To Control Vulnerable Applications
There are several steps that IT departments can take to shield and fix these vulnerabilities in the application layer. Bit9 recommends the following five-step approach.

  1. Define a full but flexible control policy for applications.
    This policy should answer questions such as: What applications will we authorize users to install or run on their own? What software will not be authorized? How quickly will we react to new vulnerability reports? How much time should we give the user to patch their system before we do it, or we disable the vulnerable application?
  2. Understand where the applications are.
    A complete picture of where vulnerable applications are on your network helps you address the vulnerabilities. After all, if you do not know a user has a vulnerable application when they connect their laptop to a public wi-fi spot, you risk the loss of data on that computer.
  3. Monitor the Internet for new vulnerabilities.
    Excellent resources are available at sites such at the National Vulnerability Database, the SANS Institute, and the US Computer Emergency Readiness Team
  4. Monitor your PCs using software identification services.
    Continue to watch the software that is being copied onto the computers you manage and use a software identification service to understand the true nature of that software. Free and easy-to-use services such as FileAdvisor let you look up a file and identify its product, publisher, security rating, and more.
  5. Enforce application controls
    Application control policies specify what applications can and can not run while helping you build and automatically maintain a whitelist of authorized software. Vulnerable applications can be easily found and banned, forcing users to upgrade or patch their system. Flexible policies let you manage all the software on your systems, filling the gap in endpoint protection.

About the Author
Brian Gladstein is the director of product marketing at Bit9, Inc., a leading application control and device control provider. Prior to Bit9, Gladstein was a product manager in RSA Security's SecurID group. Before that, he specialized in sales and marketing for Relicore and WebLine Communications, among others. Gladstein received his MBA from the Stanford Graduate School of Business and holds a BS in Computer Science from the Massachusetts Institute of Technology.

 
Subscribe to
IT Today






Powered by VerticalResponse

Events

CSI 2007

CSI 2007 from November 3 to 9 in Washington, DC, is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions and seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Go to www.csiannual.com to register now for savings on conference fees or free exhibits admission.


Links

Home Security Monitoring



© Copyright 2007 Auerbach Publications