Mozilla's open source browser, Firefox, was the subject of 44 CVE vulnerability listings this year, compared to six for Safari, and just two for the Opera browser according to Bit9's Top Vulnerable Applications for IT 2009 report.
"One by-product of the trade-off between flexibility and security are scores of vulnerable applications throughout the environment.They are often difficult to track down and even harder to patch", the report said.
The criteria for included applications was stringent. They must be Windows-based, and must have had at least one security vulnerability this year ranked as High in the NIST vulnerability database. They must not be updatable via an enterprise-based software patching system such as Windows SMS, and finally, eligible applications must rely on the end-user rather than a central administrator to patch the system's security vulnerabilities. On this basis, Internet Explorer was not included, the report added.
"While Microsoft Internet Explorer does not fit the criteria of the list, it is worth noting that there were public releases of zero day exploits targeting IE 6 and 7 in 2009", the report said. A zero-day exploit for Internet Explorer 8 was also recently patched by Microsoft.
Firefox security vulnerabilities included the ability to manipulate Javascript to cause the execution of arbitrary code, said Bit9.
Other applications that were vulnerable included Adobe Flash Player (seven vulnerabilities) and Adobe Reader (35 flaws). The report was released before the latest Adobe Reader security vulnerability was posted by Adobe this week. Apple's Quicktime, Sun's Java runtime, and the RealPlayer media player were also on the list.