"5) Enforce application controls using Bit9 Parity."
I think I see the point of this now. All it needs to complete it is a popup that says "Your computer is compromised by Firefox! Click here to allow Bit9 to help you!"
Vulnerable applications that fail to lend themselves to updating through corporate tools are creating a security gap, according to a ludicrous list from whitelisting firm Bit9. Bit9's list of "threats in plain sight" names Firefox at the top of a "Dirty Dozen", essentially because it's both popular and has been the subject of …
Remember that in the corporate environment, the end-user doesn't have the option to update, and usually wouldn't have the inclination to update if they could! I've had one of these applications constantly bug me to install updates, when I can't. So, it involves a call to IT to log into my machine and fanny about.
Remember also that overnight managed updates are preferred where possible (i.e. on any desktop machine as it remains plugged into the network after everyone's gone home). IT need to retain the ability to schedule updates for different times as needs change and to dynamically balance out network traffic.
So, an auto-update feature built into an application is useless on the first count, and inflexible on the second count. Centralised updating is the only sensible option, and for this, these apps fail.
What? I bet the majority of these companies won't give their users administrator rights anyway so the only way that most of them can be installed is by a technician, and even then a fair few of these companies will be running auditing software on the PCs anyway.
Even if they're not, it's not as if it breaks the bank...
Mine's the one with the Ladybird book of 'The Three Billy Goats Gruff' in the pocket.
So, did microsoft buy Bit9 or just bribe them? Basically this looks like a hate list more accurately described as the most populate PC programs not written by microsoft. (apologies for implying that M$ has written anything that IS popular)
The only real surprise in this list is the hated Symantec. They love to replace their busted-ass software with even more busted-ass software. And our PCs are configured such that we can't stop it no matter what. Of course since it's what passes for AV on our systems I probably wouldn't; but Damn, I thought these guys were in bed with every PR firm on earth! Maybe this alone is enough to prove Bit9 is a real nobody?
I administer my corporate network and we use a number of these apps on our computers. I roll out these products and updates to the client PCs using Active Directory managed software installations (we are a fairly small company so don't bother with SMS, but if it can be done in AD, then I am led to believe that it can be done in SMS).
All you need is the MSI which can often be extracted from the executable installer (Java, Adobe Reader) or is provided for download directly from the manufacturer (Flash players, Skype). And of course for the open source packages you can roll your own MSI if you so desire (a company called frontmotion does this for Firefox and has them available for download).
Is that most organisations install them but either because of restrictions on the firewall/proxy or lack of permissions on workstations, users cannot update them and they just sit there getting older and older.
If not full function enterprise administration, how about engineering these apps so standard users can update them - would make a huge difference
One of the main reasons I avoid both iTunes and Acrobate Reader are the auto-update features. In fact, wasn't there are huge fuss a few months ago when the iTunes auto-updater went and installed Safari on Windows systems without asking - even though the EULA states that you aren't allowed to install it on non-mac hardware?
To be honest the EULA for itunes is not to be used within a corporate environment but how this works with them pushing the Jesus phone as corporate option I don't know. I think the clause is left in there so apple have the right to sue you if they feel like it.
It clear though that these guys don't have a clue as any IT dept worth its coffee knows that Adobe is normally a huge risk.
Symantec and Trend are threats to our security? Well that kind of defeats the point, doesn't it? ;)
My office has Trend on all its PCs... I'd better go round uninstalling it from every machine, pronto! And I'll get rid of that Firefox too, if it's such a security risk. If these guys think I'm safer with IE just because I can update it centrally, they must know what they're talking about!
I love a good giggle on a Friday afternoon :D
Paris, because she should always appear on a list of things that could cause your end-point to become infected...
Only yesterday I had someone ask me if it was possible to block the download of Firefox because users were using it to bypass the proxy.
I pointed out that their firewall should be set so that people bypassing the proxy could not get out to the web at all.
You'd have thought it was obvious wouldn't you?.....
A bunch of these applications - Firefox, Flash, Acrobat Reader, Java, Quicktime, Windows Messenger, etc. all can be updated if you're using a product like Patchlink. It'll patch Real Player as well. There are other products in this space as well - VMware Update manager is one of the other products integrated into Virtual Center.
They're right that some of these companies need to pay more attention to providing update tools and mechanisms, but if you care and can drop a bit of cash on the problem, it's largely solvable, without having to tell your users they can't put anything on the computers. However, you need to buy someone else's product, not the Bit9 whitelisting solution.
"as the little-known Bit9 suggests"
Yeah, little known until they create a controversial (or 'daft' as El Reg puts it) report that everyone over reacts to and makes Bit9 the 'best known' overnight. Bit like the X-Factor, it doesn't matter if you're shit, you just need air-time!!
Well done El-Reg for the assist!!
You failed to mention that anyone worried by these security holes can easy resolve the problem by deploying "Bit9 Global Software Registry" - so clearly Bit9 are performing a valuable public service by letting us know about these problems, and not just trying to sell something!
I've recently published a paper concluding a years worth of security research that lists the top threats we discovered. The paper is not available on the internet, because we believe that that would defeat the purpose of the paper. However, I can tell you the top 5 threats we discovered, which will make it apparent to you why we did not release it.
1) The internet - Source of 100% of internet transmitted viruses
2) The internet - Number one source of email spam
3) The internet - 100% of DDoS attacks on website occur on the internet
4) The internet - We have discovered indisputable proof that all internet related crime occurs on the internet.
5) The Register - Makes people like you have to read lists like mine.
"Often running outside of the IT department’s knowledge or control"
If your corporate desktop policy allows users to install and run any old toss they download off the web without asking you, your security is already fucked way beyond these moron's ability to help you.
Nice try though, and I can imagine a lot of over stressed "IT managers"* in SMEs buying into it if they think it will stop their idiot users whining at them. Might even be worth it, just for that.
*E.g. those who have somehow found themselves in charge of an IT infrastructure that they are neither competent, nor sufficiently resourced, nor empowered by policy, to manage properly. E.g. almost all of them. I worked with a guy once who was in this position and re-wrote the org's security policy so that the security of the individual PC was the responsibility of the user, rather than the IT function, just to get around this kind of thing, neat hack.
"whitelisting firm Bit9"...
Perhaps these are the vendors who don't play ball with Bit9's whitelisting technology? As in, this is the "these are the jerks who change their stuff without telling us," list. This, of course, depends on if the Bit9 whitelisting stuff can tell the difference between, say, Firefox version <hackable>, and Firefox version <current>.
"Often running outside of the IT department’s knowledge or control, these applications"...
Oh, so that would mean to find these horrible, ghastly, applications, we need what, exactly? Oh, I already forgot, "whitelisting firm Bit9".
I can see where they're trying to go with this, but I can't quite wrap my head around the conclusions. This is obviously something that was conceived by, driven by, and finalized by, a group of marketing types.
Mine has the "Byte Ate" logo on the back...'cause I'm retro.
The reading comprehension failure in some of these comments is entertaining. The reason why IE isn't on here is because Microsoft has provided an automated update process for patching IE. Since the list is supposed to be of apps that DON'T provide an automated update process, IE isn't on. Sorry conspiracy theorists.
Yes, Bit9 is making this announcement for financial gain, but it still doesn't change the fact these apps do represent a threat. Is Bit9's premise a bit over the top? Again, yes, but there is a solid foundation of truth to it, and that shouldn't get lost in the reactions here.
I'm a Firefox user, but even I acknowledge that Mozilla's update process for FF leaves a lot to be desired. It's much better than others listed, but still has some issues. Some instances of FF will take days to pick up an update after it's been released.
Adobe Acrobat reader is not exactly a consumer only-oriented app. I think you'll find a vast majority of businesses use it.
Meanwhile, the apps identified (although unsure about VMware's inclusion at the same level of others) continue to represent a real threat to corporate networks, as they are typically targeted by automated exploit attempts for drive-by downloads, most of which are not detected by traditional AV and malware defenses. Some of the attitudes expressed in the comments would explain the continued success of the botnets. Some of you holding belief in traditional AV as a savior is disturbing, really. You're railing against Bit9's marketing ploy, but at least theirs has some good to it. The traditional AV marketing some of you are still embracing will ultimately do you harm. Time to wake up to the realities of the current threat landscape.
# Mozilla Firefox
Nope, sorry. Firefox has had vulnerabilities but 80+% of those affected almost all browsers, including IE.
# Adobe Flash & Acrobat
Yes, this one's good. Flash & Acrobat have had tons of security vulnerabilities in the last year alone. It's one of the reasons why I stopped using Acrobat Reader and switched to Foxit (the other being that Acrobat is bloated as feck).
# EMC VMware Player, Workstation and other products
VMware's had some bugs, but nothing really damning as security issues. Anyone remember that bit of dodgy code that was left over that prevented VEs from booting after a particular date?
# Sun Java Runtime Environment (JRE)
Yes, but not that bad. Sun's been getting a lot better about patching.
# Apple QuickTime, Safari & iTunes
Yes, yes, yes. Apple's had tons of security issues with just QuickTime and Safari in the last 6 months alone.
No real "security" issues but there's serious issues with stability, resource management and performance. I would call it more of a security inconvenience than a threat.
# Trend Micro
Anyone take these guys seriously anymore?
# Citrix Products
# Aurigma, Lycos
I haven't heard of either of these in so long, dunno how they were scraped onto this list.
Skype has the /capability/ to be a security risk but there's no outstanding vulnerabilities for it.
# Yahoo! Assistant
# Microsoft Windows Live (MSN) Messenger
Yes, any IM program is a security risk in a corporate environment (unless you only allow for corporate IM). All it takes is for one pud to click a spammed link and release a worm into the network.
People. The list is for Windows *APPLICATIONS*. So Windows itself isn't listed.
IE probably should be on the list but of late Firefox is way more buggy. What are they at now Firefox 22.214.171.124? That's 19 updates since it's release. Firefox 3 has had 4 updates. Last I checked, IE had maybe 5 updates all year.
Safari, iTunes and QuickTime are a huge mess. Probably should be #1. Seems every week there is a new bug there.
Unsure why they say Symantec and Trend Micro and not specifically their products.
MSN/Live Messenger has had [I believe] 1 update all year. Why in the top 12? Windows Media Player could of been on the list. so should WinAmp.
The OS vendors (Apple & MS) need to take some leadership here and provide a common platform that all apps can use to provide updates. That way, all apps on a computer will be updated through one standardized (and corporate-controllable) platform. Apple has this already for their own software, but not for third-party software. MS doesn't even have it for their own stuff --- Office is updated through a different channel than Windows!
"Firefox 3 has had 4 updates. Last I checked, IE had maybe 5 updates all year."
Excuse me but could you possibly explain WTF you've been smoking and where we can all get some? You haven't noticed the "Critical security update for IE7" entries nearly every patch Tuesday? I can't give you a precise count at present but 5 is definitely WAY too low by at least a factor of 10!
The list consists of applications / vendors of applications which:
- have an update system in place
- which requires end-users to interact with said system
- which requires those end-users to have installation rights
- which is something end-users in a corporate environment tend not to have, for good reasons.
It's not which app has more holes to patch, but which app is more problematic to patch in a corporate environment. While IE has more holes than swiss cheese, it's actually easier to patch pushing the patch to all connected clients. With Firefox you can't.
It's why a lot of IT professionals will not allow Firefox as an alternative to IE on work pc's.
I don't agree that The Register should avoid giving more press to sleazy vendors like this.
How many IT publications take a press release like this, shuffle a few words around, and print it as a news story? Almost all of them.
The Register is one of the few that looks at the claims and says "maybe you shouldn't take this at face value". If they didn't do this, only the positive echo-the-press-release stories would be out there.
Hmm, not only to bit9 seem to be scaremongers, they don't even know their facts.
Acrobat, Firefox, the JRE, Quicktime, Safari can all be centrally updated using SMS or whatever.
Citrix and vmware are /not/ consumer products!!!
How many corporate lans allow MSNmesseger or Skype to be installed?
The corporate AV products from Symantec, Trend Micro can certainly be centrally administered - and which corporates are letting users manage their AV solution themselves?
If either of the last two points applies, the company has far far bigger problems than a few possible out of date security patches.
Oh, and Lycos is a website, guys.
Biting the hand that feeds IT © 1998–2020