Some of the most-used applications on Windows today are also some of the most vulnerable to security flaws. And it’s often the user’s fault.
A list compiled by enterprise application whitelisting vendor Bit9 found that 12 of the most popular consumer applications are being used despite having vulnerabilities that could make for compromised systems or stolen data.
The rankings — ordered by number of vulnerabilities — include Mozilla Firefox, Apple’s (NASDAQ: AAPL) iTunes, QuickTime and Safari Browser and Adobe’s (NASDAQ: ADBE) Flash and Acrobat. Antivirus utilities didn’t escape mention, with products from Symantec’s (NASDAQ: SYMC) Norton family and from Trend Micro making an appearance. Also on the list were virtualization offerings from VMware (NYSE: VMW) and Citrix Systems (NASDAQ: CTXS).
But Harry Sverdlove, Bit9’s CTO, told InternetNews.com that the real fault generally doesn’t lie with the products’ vendors themselves, most of whom have fixes available for the security holes.
“The vendors update their patches, but end users often don’t install these,” Sverdlove said.
For enterprises, the fact spells trouble — especially since many of these apps slip in without IT knowing. Additionally, the news comes as businesses face growing security threats, punctuated by a slew of recent data breaches, while also contending sharply reduced spending on IT projects.
Bit9’s solution is whitelisting — like having a guard dog. It will not allow anyone into the house until its master tells it that person is accepted. And, even then, it will sit on watch, eyeing a visitor.
“Even if you don’t update or patch your application, as long as you have a whitelist, malware can come in but it can’t execute,” Bit9’s Sverdlove said. “And we alert the IT administrators so that they can take action.”
However, whitelisting is not a panacea, Gerry Egan, director of product management at antivirus vendor Symantec, told InternetNews.com. But neither is blacklisting, which takes the alternate approach by maintaining a list of applications to keep out.
“Where whitelisting breaks down is the same place blacklisting breaks down — there are files used by a few people because they’re new or for a niche application, and they aren’t popular enough for their signatures to be recognized by whitelisting or blacklisting applications,” he said.
Symantec has incorporated some whitelisting technology in its Norton 2009 products, released in September, and is working on a reputation-based technology, Egan added.
This will work similarly to the rating method on Amazon.com and eBay, where products and sellers receive a rating by users, and users’ comments about them are published. Symantec is thinking about leveraging its installed user base to calculate the reputation of applications, Egan said.
“We, as a vendor, will say ‘X number of people have downloaded this application in the past couple of hours and this is what they say, so here’s its rating,” he said.
Symantec is betting that this will make for strong protection against new, unsecured applications that have not been around long enough for blacklisting or whitelisting techniques to recognize their signatures, he added.
Both Bit9’s Sverdlove and Symantec’s Egan agree that whitelisting helps keep out or control polymorphic malware.
Ultimately, though, both Bit9’s Sverdlove and Symantec’s Egan said that it’s critical that end-user applications be patched and managed centrally by the IT department.
“Relying on the user to download or install a patch or make conscious decisions about safety contributes to a breakdown of the process,” Egan said. “Also, the user shouldn’t have to be knowledgeable about security.”