Bit9's annual list of top vulnerable applications for 2010 has few surprises.
If it's a browser, it's on the list. That's right: Firefox, IE, Opera, Chrome, and Safari account for nearly 1/2 of what Security News Weekly calls the Dirty Dozen.
Much of the rest of list reads like an "our products" page at Adobe: Reader and Acrobat, Flash, and Shockwave are also among the applications with the highest number of critical vulnerabilities registered in the NIST vulnerability database from January through October 2010.
Microsoft Office, Apple QuickTime, Sun Java Dev Kit and Real Player round off the list of vulnerable applications that consumers and enterprises are likely to find on the majority of PCs and Macs in use today.
Bit9 recommends application reputation and location tracking, continuous endpoint monitoring and application whitelisting as means to mitigate the threats exploitable applications pose. These are terrific solutions for the enterprise, but don't help the average home or small business user who has to cope with similar threats.
If you are a home or small business user, consider these measures:
- Keep your applications patch current. My article on application software scanners explains how software like AppFresh or Secunia PSI can simplify this task.
- Use the best of the lot rather than the worst. All the popular browsers are on the list. In a list where Chrome tops the list with 76 critical vulnerabilities, followed by Safari (60), Firefox (51), and IE (32), Opera (6) might be worth a look.
- Use something else. Mac users, make Apple's Preview your default application for PDFs. PC users, try free Foxit Reader, which offers user controlled security features. MS Office users, consider OpenOffice.Org (OOo), available for MacOS and Windows. OOo is free and it's compatibility with MS Office gets better every release. Search NIST's list of critical vulnerabilities: OOo returns far fewer reported critical vulnerabilities than MS Office.
- Decide if it's really indispensible. Flash and Shockwave are flashy. With the long list of vulnerabilities, they may deliver a different shock value than you expect. Only you can decide whether your web experience will be diminished if you do without them. Search the list of critical vulnerabilities as you make your decision.
All of these may not be viable or desirable options for every user. Most are free, and the learning curves are not onerous. At the very least, please follow (1): keep your applications patch current.