As IT professionals, we try just about everything to protect our users' desktops
and ensure they are secure and well-managed, while still being flexible. Unfortunately, we can be frustrated by the amount of unauthorized software on users' systems - and the level of support required to fix them. Current offerings to keep unwanted applications at bay offer, at best, limited protection against this unwanted software and the often costly damage associated with it. Faced with these issues, IT executives typically consider locking down their employees' desktops through user privileges and account controls. Unfortunately, this solution can not be applied consistently to prevent all unauthorized software.

So we manage what we can, accepting that a sizable amount of software evades
standard control mechanisms. That's usually software that users install on their
own - sometimes for business purposes, other times for personal use, but always
outside of the realm of IT's knowledge. This invisible gray zone contains a
mix of business tools, consumer applications, unauthorized software, and the
latest and most undetectable malware. But for the sake of business flexibility,
we keep the controls dialed down and politely deal with the inevitable mess.

One by-product of the trade-off between flexibility and security are scores
of vulnerable applications throughout the environment. They are often difficult
to track down and even harder to rectify. More importantly, they can stand in
the way of our ability to fully and flexibly control our computing infrastructure.
In today's culture of compliance, this lack of control introduces unnecessary
security risk and can jeopardize both IT and business operations.

Criteria for the Vulnerable Applications List

To help IT departments understand and ultimately close the gap in endpoint
protection, Bit9 has compiled the following list of applications with known
vulnerabilities for the year 2007.

The applications on this list meet the following criteria. Each one:

1) Runs on Microsoft Windows

2) Is well-known in the consumer space and frequently downloaded by individuals.

3) Is not classified as malicious by enterprise IT organizations or security
vendors.

4) Contains at least one critical vulnerability that was:

a. first reported in June 2006 or after,

b. registered in the U.S. National Institute of Standards and Technology's (NIST)
official vulnerability database at http://nvd.nist.gov, and

c. given a severity rating of high (between 7.0-10.0) on the Common Vulnerability
Scoring System (CVSS).

5) Relies on the end user, rather than a central administrator, to manually
patch or upgrade the software to eliminate the vulnerability, if such a patch
exists.

Note that in most cases, the vendors of these applications have issued patches
or other instructions for eliminating the vulnerability. But the nature of these
applications is such that the

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine