Welcome to P2PNET.net - The original daily p2p and digital news site. Always First!
Register | Login
RIAA News
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
TV
Open Source
Mobiles
Advertising
Product News
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
Kids and Kartels
Search: 
Search
 
Web P2PNET   
   Search: 
Search
Torrent Site Tracker
MP3rocket
 
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code
p2pnet - rss feed: http://p2pnet.net/p2p.rss | p2pnet celebrities: http://p2pnet.net/celeb.rss | Mobile? http://p2pnet.net/index-wml.php

Firefox tops ‘critical’ list

p2p news / p2pnet: Firefox, iTunes & QuickTime, Skype, Adobe Acrobat Reader and Sun Java Run-Time have the dubious distinction of being the Top Five in Bit9’s list of 15 applications with critical security holes.

Each application in this list has the following characteristics, says the company:

  • It’s well-known in the consumer space and frequently downloaded by individuals.
  • It’s not classified as malicious software by enterprise IT organizations.
  • It contains at least one critical vulnerability registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov.
  • Every item listed has a severity rating of between 7.0-10.0 (high) on the Common Vulnerability Scoring System (CVSS).
  • It relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

Firefox: “Multiple vulnerabilities including memory corruption, buffer overflows, errors in garbage collection, and running of arbitrary HTML and Javascript code that in many cases allow the execution of arbitrary code.”

ITunes & Quicktime: “Several buffer overflows in specially crafted image and video & Quicktime / QT 7.0.3 files of various common formats allow remote attackers to cause a denial of service or execute arbitrary code buffer overflows, errors in garbage collection, and running of arbitrary HTML and Javascript code that in many cases allow the execution of arbitrary code.”

Skype: ” A buffer overflow allows a remote attacker to execute arbitrary code when the user clicks on a specially crafted, Skype-specific URL.”

Adobe Acrobat Reader: ” An unspecified boundary error can allow a remote attacker to cause a denial of service and possibly execute arbitrary code.”

Sun Java Run-Time: ” Allows remote attackers to escape the Java sandbox and Environment (JRE) Update 3, access arbitrary files or execute arbitrary applications via JRE 1.4.2_08 unknown attack vectors.”

In order of appearance, the remaining ten applications cited are:

Macromedia Flash; Winzip; AOL Instant Messenger; Microsoft Windows/MSN Messenger; Yahoo Instant Messenger; Sony / First4 Internet DRM rootkit; BitDefender anti-virus client; Kazaa; RealPlay; and, ICQ chat.

=================

UPDATE: Bit9 has since apologised to BitDefender for wrongly including it in the ‘critical’ list.

Digg this story.

Also See:
Bit9 - 15 Popular Applications with Critical Vulnerabilities, May, 2006

p2pnet newsfeeds for your site.
rss feed: http://p2pnet.net/p2p.rss
Mobile - http://p2pnet.net/index-wml.php

Digg this story.

This entry was posted on Thursday, June 22nd, 2006 at 8:38 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1989 times

« previous Truly cool super chip
New MySpace restrictions next »

6 Responses to “Firefox tops ‘critical’ list”

  1. Reader's Write Says:
    June 22nd, 2006 at 3:28 pm

    So the top ten are basically all the programs that people who aren’t that hot on computer security have installed and use every day. Lovely.

  2. Reader's Write Says:
    June 22nd, 2006 at 4:24 pm

    Of course, IE is not on the list. Pick on the old version of a competing browser; just leave MS alone…

    I openly question the list of ‘bad’ apps. I use Firefox under IT’s nose because of the risks in IE. If I am caught, I would lose my work terminal. So much for safe IT practices…

  3. Reader's Write Says:
    June 22nd, 2006 at 5:43 pm

    “It relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.”

    I’m sorry, Firefox does not fall under this category. The patches are automatically downloaded. Whereas, Opera and IE are not. Get your record straight.

  4. Reader's Write Says:
    June 22nd, 2006 at 6:12 pm

    On June 20th, Cambridge, Massachusetts-based software security company Bit9 issued a report announcing what it found to be the top 15 applications with known vulnerabilities. While BitDefender 9 was listed among these vulnerabilities, BitDefender has received today a written apology from Bit9’s executives for including these products.

    While BitDefender 9 did include a minor vulnerability last September, BitDefender immediately discovered the problem and issued an automatic patch which required no user intervention.

    “By erroneously including BitDefender 9 among its list of top vulnerabilities, Bit9 has caused great confusion in the IT market and a disservice to our emerging consumer base,” commented Bogdan Dumitru, BitDefender’s chief technology officer. “It is very common for software companies – at some point or another – to find vulnerabilities in their new software releases. As one of the world’s most powerful antivirus software and data security solutions, BitDefender prides itself on ensuring that these vulnerabilities are found and fixed as quickly as possible. In this case, we did just that. It was wrong and slanderous for Bit9 to have issued this week’s statement without first confirming the facts.”

    Today, BitDefender is trusted by over 41 million users worldwide and offers the industry’s most efficient line of anti-virus and data security defense. The company is a recipient of countless awards for its flawless protection of both enterprise and personal computer use software. BitDefender represents the new drivers in the perimeter security market – challenging established vendors which force users to accept less effective and often more costly security applications.

    For further information, please contact: BitDefender@topazpartners.com

  5. Reader's Write Says:
    June 23rd, 2006 at 12:57 am

    I must agree with the above Reader/Writer – I have had no problems since switching from IE6 to Firefox, which does, indeed, keep me updated. I once thought IE6 was the greatest thing since sliced bread, and I attributed most of my Malware to other sources; but as soon as I dumped IE6 for Firefox, my malware problems miraculously vanished. (of course, a good desktop utilities program, such as System Suite Professional 6 helps to keep things humming along. I get no royalties or kickbacks from them, but I’ll gladly recommend them any time!)

  6. Reader's Write Says:
    June 23rd, 2006 at 5:23 am

    I used to run spybot all the time when I used IE, since changing over to FF it hasn’t picked up anything other than the odd suspect cookie (easily removed and pretty harmless anyway).

    I haven’t had any viruses or security breaches in 5 years and I run an antivirus software free XP install. Education is the key, know what you’re clicking on (don’t hide known file extensions), avoid IE/Outlook (85% of the web/mail client market, more than 85% of viruses written for them). Sure FireFox ain’t perfect, it’ll bleed if you kick it but in my experience IE goes totaly belly up if you hand it some valid html!?!

    I also protect myself with sods/murphies law. If you keep everything backed up you’ll never have any virus/spyware/hardware failure problems.

Leave a Reply
    Advertisments
Teksavvy