- is well-known in the consumer space and frequently downloaded by individuals;
- is not classified as malicious software by enterprise IT organizations;
- contains at least one critical vulnerability registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database;
- has a severity rating of between 7.0 - 10.0 (high) on the CVSS scoring system;
- relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
So of course with such settings, the top 5 applications with critical security vulnerabilities is quite unusual:
1. Mozilla Firefox 1.0.7
2. Apple iTunes 6.02 et Quicktime 7.0.3
3. Skype Internet phone1.4
4. Adobe Acrobat Reader 7.02, 6.03
5. Sun Java Run-Time Environment 5.0 Update 3, JRE 1.4.2_08
All those applications have security updates available and then can be patched, the main reason for them to be listed in the top five, is the last parameters of the settings: "relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists"
As a result, such analysis does not pick up any MS applications, even tough it is well known that MSN for example is a real plague for IT security, but MS provides automatic updates...
Oups… they also forgot to take into account that in big Corporate Companies, users do not have administrative rights on their computers, so such applications are either not installed or updated by the local IT group…
In addition, the website reporting this news,ITNEWS, has its front page covered by ads promoting Microsoft protection and security system against Malwares...
Please, but could companies be serious when talking about serious problems??
