«
»

Bit9 “Most Vulnerable Applications” report is fatally flawed

PostDateIcon December 16th, 2008 | PostAuthorIcon Author: Joel 'Jaykul' Bennett

There has been a lot of buzz on Twitter (etc.) about the report issued by Bit9 (as reported without details by NeoWin). The list is topped by Firefox, and the top 10 are all non-Microsoft applications … shocker!

Well, if you download the PDF (and read it with Foxit Reader because Adobe Acrobat and Flash are tied for #2 on Bit9’s list), you’ll find these items, among others, in the criteria for apps making the list:

  • Is well-known in the consumer space and frequently downloaded by individuals.
  • Contains at least one critical vulnerability that was first reported in January 2008 or after … [and was] given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
  • Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
  • The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.

There are two big problems here:

  1. It doesn’t matter how long it takes the vendor to issue the patch.
  1. Any application which can be patched by the administrator (or which is patched in WSUS (aka Windows Update)) is automatically excluded from the list — regardless of anything else.

That’s just preposterous.

So preposterous that even The Register couldn’t stand for it.

An application could have a single level 7 vulnerability that was patched within hours, with the patch delivered automatically by the application checking and self-updating … and it would still qualify (this isn’t entirely Hypothetical, THREE of the apps on that list had only a single qualifying vulnerability). But if it uses a patching system that has to be run by a highly paid IT professional instead, it wouldn’t qualify even if it had a level 10 vulnerability that has remained open for years … In point of fact, vulnerabilities that have been open for years are disqualified anyway, but the point is that the only thing that saves an app from this list is not having any vulnerabilites, or being able to hypothetically apply patches remotely (regardless of whether the patches actually exist).

Stop spreading this list

I’m begging you: if you’re a reporter, a blogger, a tweeter — do your research before you help companies spread disinformation… and please note that Bit9’s sole reason for creating this list is to market their enterprise management, patching, and white-listing product.

Related articles by Zemanta
Reblog this post [with Zemanta]
PostCategoryIcon Posted in Huddled | PostTagIcon Tags: , , , , , ,
«
»

Comments are closed.

Search
Similar Posts
Recent Posts
Meta