Editor’s Note: The following article is reprinted from Network World.
The Google Chrome browser has earned the dubious distinction of being named the most vulnerable application on the “Dirty Dozen” list of 12 applications with the most discovered software flaws requiring security updates and notifications from January through mid-October.
The annual “Dirty Dozen” list, compiled by security vendor Bit9 based on information available in the National Institute of Standards and Technology’s public National Vulnerability Database, puts Google Chrome in the No.1 spot with 76 reported vulnerabilities.
The No. 2 spot is held by Apple’s Safari browser at 60 reported vulnerabilities while Microsoft Office was No. 3 with 57. The rest of the “Dirty Dozen” ranking are as follows:
4. Adobe Acrobat — 54
5. Mozilla Firefox — 51
6. Sun JDK — 36
7. Adobe Shockwave Player — 35
8. Microsoft Internet Explorer — 32
9. RealNetworks RealPlayer — 14
10. Apple Webkit — 9
11. Adobe Flash Player — 8
12. Apple Quicktime and the Opera Web browser (tied) — 6
A variety of vulnerability types, including buffer-overflow and cross-site scripting vulnerabilities, impacted these applications, says Harry Sverdlove, CTO at Bit9, which this year sifted through 3,268 reported vulnerabilities to create its list.
Some exploits of vulnerabilities could allow attacks to compromise the user’s desktop entirely and perhaps pose a risk for the entire organization. A list like the annual “Dirty Dozen” highlights trends and the need to make sure software is kept updated, Sverdlove says.
Google Chrome is a relatively new browser and security researchers may thus be putting a lot of focus on it to discover vulnerabilities, Svedlove says. Last year’s Dirty Dozen list, which was compiled with slightly different criteria (in 2009, Bit9 excluded the Apple Mac platform), the top vulnerable application named was Mozilla Firefox.
Read more about software in Network World’s Software section.