Top IT Security Vulnerabilities

[Mike F]

Admittedly this is barely thread worthy, but I did find the new report by Kaspersky of the Top 10 Security Vulnerabilities very surprising for who was on and who was absent:

1. Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical
2. Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical
3. Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical.
4. Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical.
5. Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
6. Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
7. Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
8. Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
9. Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
10. Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical.

I had no idea Adobe products were so vulnerable, and was surprised to see 2 Apple products and no Microsoft products on the list given the common conception about the two companies.

[sclitheroe]

Quote:

Originally Posted by Mike F

I had no idea Adobe products were so vulnerable

#1 risk vector today, especially in business. Flash in the browser and Reader handling PDF's is a security minefield.

Now Adobe has tried to fix some of this by introducing an auto-update mechanism to their products (Flash in particular), not unlike Windows Update - however, I am deeply concerned it will get compromised and allow a mass deployment of a trojan'ed version of Flash. They have already had one security breach along these lines allowing Flash applications to be signed with their private key - the only thing that didn't happen was it getting published to their auto-update server.

The same concern exists for other update mechanisms (Microsoft Update and Apple's App Store update process are the big ones of course), but Adobe is especially "special" when it comes to security in my opinion.

[Flash Walken]

So what's the deal with java?

Is it safe? Is it Superaids? Is it sometimes superaids if you go to eastern european porn sites or chinese warez links?

[Rathji]

Not really surprised by any of the culprits, but QuickTime. Adobe and Java easily are the single largest time sinks in my desktop hardening regime.

I have been severely tempted to remove Flash and Java from all of our machines and see how long I can stomach the fallout.