top 10 Applications with Security holes

[the_ancient]

Here a List that you might find surprising, IE is not on the list at all....

[source]

Top popular apps with vulnerabilities
Application Affected Versions
1. Mozilla Firefox 3.x, 2.x
2. Adobe Flash & Acrobat Flash: 10.0- 10.0.12.36 and 9.0- 9.0.151.0
Acrobat: 8.1.2, 8.1.1
3. EMC VMware Player, Workstation and other products ESXi 3.5 or earlier
Workstation 5.5.x
Player 2.0.x & 1.0.x
ACE 2.0.x & 1.0.x
4. Sun Java Runtime Environment (JRE) Version 6 Update 6
5. Apple Quicktime, Safari & iTunes Quicktime: 7.5.5
Safari: 6.0.5.20B iTunes: 3.2, 3.1.2
6. Symantec Norton products 2.7.0.1
7. Trend Micro OfficeScan 8.0 SP1 before build 2439
8.0 SP1 Patch 1 before build 3087
8. Citrix Deterministic Network Enhancer (DNE), Access Gateway, Presentation Server DNE 2.21.7.233- 3.21.7.17464
Access Gateway 4.5.7
Presentation Server 4.5
9. Aurigma Image Uploader, Lycos FileUploader 4.6.17.0, 4.5.70.0, 4.5.126.0
10. Skype 3.6.0.248
11. Yahoo! Assistant 3.6
12. Microsoft Window Live Messenger 4.7 & 5.1

[Frank Broughton]

"But Harry Sverdlove, Bit9's CTO, told InternetNews.com that the real fault generally doesn't lie with the products' vendors themselves, most of whom have fixes available for the security holes.

"The vendors update their patches, but end users often don't install these," Sverdlove said. "

Would not trade the ad removing power of FF for anything right now! Keep it up to date and all is well.

[Vin DSL]

That's why everyone should be running Secunia PSI!

http://secunia.com/vulnerability_scanning/personal/

You're a fool if you aren't running PSI in the background 24/7/365!

Top 10 apps? Don't make me laugh. There are 1000's of them!

EDIT

Speaking of which...

PSI_Snappy.png

Must be providence!

[homoludens]

This has been taken apart by various websites. "Bit9 trolls for publicity" was el reg's byline, and that pretty much sums it up for me.

It's also a faintly ludicrous claim in light of Redmond's last 30 days of vulnerabilities, patches and more vulnerabilites.

[Vin DSL]

All fixed!

PSI_Snappy2.png

Word 2000 & Excel 2000 had 9-Dec-2008 security updates.

See how easy PSI makes it?

[homoludens]

All fixed!

So ... um ... are you patched against the latest IE7 vuln ... ?

See how easy PSI makes it?

Installed PSI. Watched it hang for half an hour. Uninstalled it.

I later realised that I'd disabled my firewall in a cunning way that stopped all sorts of apps connecting properly. Sometime I feel there really aren't enough swear words in the world. I should get round to trying it again.

I wish I could work out why windows won't let me give write access to my BITS folder. It's stopping chrome from installing. No loss, perhaps.

[Vin DSL]

While we're at it, here's another one for you - the avast! screen saver, no pun intended!

Most ppl don't even know this feature exists...

avast!_screenie.jpg

Everyone is great at installing AV software - but poor at actually using them, e.g. doing regular virus scans!

The avast! screen saver automatically scans your system for viruses when your machine is idle.

Here's an example: avast! screen saver in action, combined with the 'MS Bubbles' screen saver...

Avast!Screenie2.jpg

Simple pimple! Highly recommended!!!

[Vin DSL]

So ... um ... are you patched against the latest IE7 vuln ... ?

Installed PSI. Watched it hang for half an hour. Uninstalled it.

I suppose I'm patched for the vuln - that's how I spend most of my time these days - patching proggies!

I love staying ahead of 'the game'. If you'll notice in the above pic (lower right corner) I'm running Vista SP2 beta.

I don't know when you tried PSI last, but it's finally out of beta, so you might want to try it again.

I commented on this elsewhere. PSI beta was actually more like a rough alpha, so don't judge it poorly if that's what you were running.

PSI 1.x is still slow, but I don't know of anything else that does the job like PSI!

Secunia, IMHO, is the best security site on the web, sooo... you might as well live with it, if you can!

[homoludens]

I don't know when you tried PSI last, but it's finally out of beta, so you might want to try it again.

My brain was in pre-alpha. Or possibly delta. It wasn't Secunia's fault. I used to use their site alot for info, but these days I use sans.org.

I suppose I'm patched for the vuln

The latest IE vuln is unpatched and being actively exploited:

http://secunia.com/advisories/33089/

[Vin DSL]

I suppose I'm patched for the vuln - that's how I spend most of my time these days - patching proggies!

LoL!

And, speaking of that...

I just had to update Secunia PSI, CCleaner (Crap Cleaner) on this lappy.

OMG!!! Will this never stop???

[Vin DSL]

The latest IE vuln is unpatched...

Yep, it's a 0-day, sooo...

I now suppose I'm not patched, but there's '0' exploits!

Where did you read that exploits are in the wild? Same site?

Oh, duh!

NOTE: Reportedly, the vulnerability is currently being actively exploited.

Um...

How can it be a zero day vuln and be exploited?!?!?

[homoludens]

I now suppose I'm not patched!

Yeah, but you're so bleeding edge that any malware targeting the vuln probably won't work anyway.

[impleri]

I'd rather avoid the hole altogether and access the internet by cerebral shunt to my cyberdeck.
In all honesty, I use Linux with <strike>Firefox</strike> Iceweasel and NoScript. It also does help to have a good iptables config (I try to mirror the config I use on my VPS).

[homoludens]

In all honesty, I use Linux with Iceweasel and NoScript

Are you using Debian or something downstream like *buntu?

Can you recommend a good admin tool (preferably kde) for iptables or do you use the cli?

[impleri]

On my desktop, I run Debian unstable with some experimental packages (kde4 mainly). My local servers (I have 2 MythBoxes and a backup/test server) which run Debian stable (MythBoxes also use Marillat's multimedia repo for MythTV). I tried *buntu and a few other downstream variants, but never had any good luck with them.
For iptables, I use the CLI. It's pretty straightforward with nothing awkward. However, if you want a GUI, I'm pretty certain KMyFirewall does the job fairly easily (and it's in the official repo). However, if you have a spare computer around, I suggest looking into getting an IPCop box set up.