TMCnet News

Web Browsers, Desktop Software Top "Dirty Dozen" Apps List
[November 16, 2010]

Web Browsers, Desktop Software Top "Dirty Dozen" Apps List

WALTHAM, Mass. --(Business Wire)--

Bit9, Inc. today unveiled its fourth annual report of the top applications with reported security vulnerabilities in 2010. Google (News - Alert) Chrome placed first on the "Dirty Dozen" list, followed by Apple Safari and Microsoft Office. Apple and Adobe are the most represented companies with three applications each making this year's list. The "2010 Top Vulnerable Applications" report serves as a warning to enterprises about the risks of employees downloading unauthorized software and affirms the importance of staying current with software updates.

The report represents a "who's who" of venerable tech companies and the applications most popular with enterprises and consumers alike, and contradicts the perception that Apple software is the most secure. The "Dirty Dozen" list ranks applications by the number of reported "high severity" vulnerabilities that impacted end users during 2010, and includes the following:

1. Google Chrome (76 reported vulnerabilities)

2. Apple Safari (60)

3. Microsoft (News - Alert) Office (57)

4. Adobe Reader and Acrobat (54)

5. Mozilla Firefox (51)

6. Sun Java Development Kit (36)

7. Adobe Shockwave Player (35)

8. Microsoft Internet Explorer (32)

9. RealNetworks (News - Alert) RealPlayer (14)

10. Apple WebKit (9)

11. Adobe Flash Player (8)

12. Apple QuickTime (6) and Opera (6) - TIE

"The reality is every enterprise, including our own, is likely using at least one of the applications, and unpatched vulnerabilities are often used as the access point for the targeted enterprise attacks making headlines these days," said Harry Sverdlove, CTO of Bit9. "Our new report reveals the most popular applications often have the most vulnerabilities that criminals can exploit, and serves as a wake-up call to enterprise IT teams to be vigilant about proactively protecting their endpoints and keeping all applications updated."

In most cases, vendors on the list have issued patches to repair identified vulnerabilities. The enterprise is still at risk becaue the end user is often responsible for implementing the patch. Enterprise IT teams must monitor their endpoints to ensure patches have been properly applied. Enterprises and government agencies that do not have application controls in place are not able to protect against the zero-day attacks in which no patches or fixes exist.

Research Methodology

This 2010 Top Vulnerable Applications list is created for IT professionals who are responsible for providing secure and well-managed computers, while at the same time dealing with users who download software that is vulnerable to malicious attacks and is often not approved by company policy.

The applications on the list were pulled from the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database and meet the following criteria:

  • Is an end-user/consumer application and not an enterprise-only application like a server or router.
  • Is not classified as malicious by enterprise IT organizations or security vendors
  • Contains at least one critical vulnerability that was:
    • Reported between January 1, 2010 through October 21, 2010
    • Registered in the NIST database at, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS)

High-profile security breaches in both public and private sectors this year have increased the need to better monitor, protect and control applications and endpoints. With this report, IT managers can better understand the prevalence of application vulnerabilities, and learn how to take the necessary steps to proactively protect their endpoints and networks with new advanced threat protection technologies. To read the full research report and Bit9's six step approach to addressing these vulnerabilities, please view Bit9's report here. Additional resources are available at sites such as the National Vulnerability Database ( and the SANS Institute (News - Alert) (

About Bit9

Bit9 is the leader in Advanced Threat Protection. The company's award-winning products provide total visibility and control over all software on endpoints, eliminating the risk caused by malicious, illegal and unauthorized software. Bit9 specializes in protecting organizations against the Advanced Persistent Threat.

Bit9 leverages the Bit9 Global Software Registry™ -- the world's largest database of software intelligence -- to identify and classify software, delivering the highest levels of endpoint security, compliance, and manageability. The company's global customers come from a wide variety of industries, such as government, financial services, retail, healthcare, e-commerce and education.

Bit9 was awarded a prestigious $2M United States federal research grant in 2003 from the National Institute of Standards and Technology-Advanced Technology Program (NIST ATP (News - Alert)) to conduct the research that is now at the core of our application whitelisting solutions. Bit9 is privately held and based in Waltham, Massachusetts. For more information, visit or call +1 617.393.7400.

[ Back To's Homepage ]