ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

35% of YOU are vulnerable to remote code execution!

By | November 3, 2010, 10:06am PDT

Summary: Yes, I’m talking to YOU, readers of Hardware 2.0!

Yes, I’m talking to YOU, readers of Hardware 2.0!

follow Adrian Kingsley-Hughes on TwitterAfter reading Ryan Naraine’s post on Flash adoption rates for readers of his Zero Day blog, and discovering that 35% of his readers were running outdated Flash plug-ins, I decided to check the logs for Hardware 2.0. I was hoping to find that you guys would be on the cutting-edge when it came to keeping your software updated.

I was disappointed.

Why? Because the stats for Hardware 2.0 reflect what Naraine sees for his blog.

These stats are for yesterday alone, but taking the data for the month as a whole gives pretty much the same result.

And in case you are wondering, the latest Flash Player update, which is update 10.1.85.3 has been out since SEPTEMBER 20th!!!!!

FOR SHAME!!!!!

Putting the data another way, if there was a zombie outbreak, and the infection spread via vulnerable Flash players, things would look like this.

And as Naraine says, this is serious stuff:

Every version of Flash Player marked as “Outdated” is vulnerable to remote code execution vulnerabilities that can be exploited via the Web to launch drive-by malware downloads (no extra click required).

Come on, you can do better than this! Next month I’ll look at the data again, and I expect you to do better. Much better!

Don’t make me come over there are update for you, or worse still, revoke your geek license!

Check to see if your Flash Player is updated NOW!

[UPDATE: Thanks to NonZealot for reminding us that you can use Secunia PSI to scan for outdated Flash plugins, Java and much more.]

[UPDATE #2: Come Thursday, there's a new update to Flash being released because ... yeah, you guessed it ... 10.1.85.3 contains a critical bug! It'll be interesting to watch adoption of this new update.]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Macromedia Flash Player, Ryan Naraine, Hardware, Spyware, Adware & Malware, Cyberthreats, Blogging, Viruses And Worms, Security, Internet, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

31
Comments
Add Your Opinion

Join the conversation!

Just In

RE: 35% of YOU are vulnerable to remote code execution!
Alan Smithie 6th Nov 2010
@NonZealot

Should be compulsory on Windows, nearest thing to Yast or Synaptic for windows.
View in thread
0 Votes
+ -
I recommend and use Secunia PSI
NonZealot Updated - 3rd Nov 2010
http://secunia.com/vulnerability_scanning/personal/

It will tell you if Java or Flash (and thousands of other programs) are out of date.

PS Most Flash vulnerabilities exist in Flash for all OSs, not just Windows. OS X and Linux users must also be vigilant and keep their Flash players up to date. Even worse for OS X users, you probably have Flash on your Mac without even knowing it because up until now, Apple has just gone ahead and installed Flash for you on nearly every Mac.
0 Votes
+ -
Contributr
RE: 35% of YOU are vulnerable to remote code execution!
Adrian Kingsley-Hughes 3rd Nov 2010
@NonZealot Good recommend!
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
Gis Bun 3rd Nov 2010
@Adrian Kingsley-Hughes : For companikes, even better - get a licensed edition of Flash. They give you a MSI version which allows you to add it to a group policy.
0 Votes
+ -
NonZealot thank you...
BubbaJones_ Updated - 3rd Nov 2010
@NonZealot
Yours is a good recommendation.
0 Votes
+ -
Good points
use_what_works_4_U Updated - 3rd Nov 2010
@NonZealot
I will say this for Flash on the Mac, though. I only have to update it once. I visited the Flash version check link in Ryan Narraine's blog and was informed that Google Chrome automatically updates it's Flash and I was safe. I did it again with IE, and was told I was up to date, which I knew because I installed the update in September when it came out. I then checked with Firefox and found I was a version behind! Why? Because Chrome uses it's own version of Flash and auto-updates. IE uses it's own version (per the website) and only updates itself after you manually install! All of this on my otherwise very nice Windows 7 PC.

On the Mac it's really simple. There is one version of Flash which is utilized system wide so either you are up to date or you aren't. I'm not saying one way is better or worse, but I wish that it would work this way on my PC as well, just for the simplicity factor.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
grant@... 3rd Nov 2010
@macadam
I have had many issues updating flash on Windows. The only way I have found that works reliably is to use the uninstall_flash.exe available from Adobe, and get rid of it completely. Then next time I hit something that needs it, the browser asks to install it and I say OK.
0 Votes
+ -
Secunia = TechTracker
keimanzero 3rd Nov 2010
@NonZealot Thanks NZ but like Tech Tracker from CNET a lot of times Secunia tells you to upgrade/update a program that has already been upped or one that is not compatible with your system. I agree though that Secunia is worth the effort as is TT and both are freebies. Now Zip's another story my friend. I have never been advised by either Secunia or TT to upgrade/update a Zip program like 7-Zip or WinZip. BTW what's the easiest Zip program to use for unzipping and extracting and viewing game files? Later gang- K&K
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
Alan Smithie 6th Nov 2010
@NonZealot

Should be compulsory on Windows, nearest thing to Yast or Synaptic for windows.
0 Votes
+ -
Well, I am good, but......
Economister 3rd Nov 2010
why do I have to visit a web site to check? Why can I not just click on "check for updates" on my computer somewhere? I often prefer to turn automatic updates or notifications off, because I do not like too many processes running in the background. Either I am ignorant or Adobe could do a lot better. I am hoping for the latter. wink
0 Votes
+ -
Secunia PSI comes pretty close to what you are looking for
NonZealot 3rd Nov 2010
@Economister
Why can I not just click on "check for updates" on my computer somewhere?

While there is no guarantee that Secunia PSI will keep track of updates for all your software, it sure seems to keep track of an awful lot of applications out there. I've been surprised at some of the tiny applications that I've received notifications about.

http://secunia.com/vulnerability_scanning/personal/
0 Votes
+ -
Yes but.....
Economister 3rd Nov 2010
@NonZealot

why is Flash under "plug-ins" in FF, with only a disable button (along with others). Why can there not be an "update" button as well? I should not really need another piece of SW. I just need the functionality to be added to the plug-in listing.

If Adobe is serious about making upgrades easy, you would think they could add this with a few lines of code.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
grant@... 3rd Nov 2010
@Economister

You can:

apt-get update
apt-get upgrade -s


Or just click on "Check" in the update manager if you prefer a GUI.
0 Votes
+ -
No Adobe on my system means no flash vulnerabilities...
JonathonDoe 3rd Nov 2010
known, or unknown. The past releases of flash have been so bad that there simply isn't a valid reason to trust that their new 'latest and greatest bug-free ultra-secure' one is any better. It is just that no-one's been caught exploiting it -- yet.

Die, flash, die! It can't happen fast enough.

Just my $0.02 USD from someone who is long since tired of cleaning up after Adobe's sloppiness.

Regards,
Jon
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
Jim888 3rd Nov 2010
@JonathonDoe
Agree completely. Not sure why Flash is required for anything. If I hit a page with Flash, it tells me 1) that I need to install Flash to "get the full content".. and 2) I do not need to see / use / continue on this site. Yet zdnet is compelled to tell us all how much we need this to "fully experience the web" with Flash .. no thanks to the experience thing.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
Vine34 3rd Nov 2010
Another nice tool for checking flash is
http://updateflash.org/
It's by the ninite people, and offers a one click updater.
0 Votes
+ -
Why is THIS important stat always left out?
Qbt 3rd Nov 2010
I always see the doomsday percentages of "vulnerable" users out there. What these stats always seem to leave out is, how many of the "vulnerable" percentage of users run something like MSE, and hence for all practical purposes are immune to the threats that may or may not materialize?

True this doesn't mention any specific threat (only the vulnerability), but well before any real threat becomes widespread, good AV software will catch it. And this will make a dramatic difference to the actual number of systems that are truly vulnerable to any given threat.
0 Votes
+ -
But
Cylon Centurion Updated - 3rd Nov 2010
*Insert some snarky comment about how I don't run Windows and don't need to/want to/have to care about malware here*
0 Votes
+ -
35%? No, 100%.
KTLA 3rd Nov 2010
ANYONE that seriously believes that they aren't running on a system with multiple defects that would allow remote code execution doesn't understand software. At all.
0 Votes
+ -
quick, simple solution for 100% malware proofing
~doolittle~ 3rd Nov 2010
@KTLA just unplug the network cable
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
bjs_z 3rd Nov 2010
@~doolittle~ unless you put some kind of removable media in it.
0 Votes
+ -
Oops that is a my Bad
bobiroc 3rd Nov 2010
I sometimes forget to update my own machine at work because we suppress that auto updates of most plugins and push them out from an update server. Most of the tech work stations are not a part of that group.

Thanks to NonZealot for that link to Secunia PSI. I will have to remember that to run on client computers in my side jobs.

I did get a 97% rating though so I only had my flash and Java one revision behind.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
rengek 3rd Nov 2010
If you don't spend your free time at questionable sites then you have nothing to worry about. I have 2 friends who are constantly getting malware and viruses and beg me to help them clean their machine etc. But they won't stop going to sites to download mp3, movies and things of ahem quesitonable nature.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
james347 3rd Nov 2010
Yeah....sure thing....
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
keimanzero 3rd Nov 2010
Wow! Hea-vee man! OK I have 10.1.85.3 in Opera, IE9, Firefox and Chrome. Of the 4 only Chrome auto updates Flash for me but TechTracker takes care of the other 3 and warns me when to DL/install new upgrades. Thanx for the tip off Adrian.- K&K
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
Ron_007 3rd Nov 2010
Secunia is a star, I've been using it since it was in beta. The thing to remember is that it is focused on security patches.

I also do periodic scans using some other tools that find other groups of apps that have been updated, not just for security patches:
Sumo from www.kcsoftwares.com/
Update Checker from www.filehippo.com
software Informer from www.informer.com/

They are not perfect, but they do help me find more apps that need updating.
0 Votes
+ -
Latest Microsoft Security titbit
keebaud@... 4th Nov 2010
Just discovered EMET. Don't know how much use it'll be in protecting my PC but it should help, even with outdated Adobe products on a Windows XP box. Enjoy.
CAUTION: Some software (badly written, of course) may not work under EMET. For example some 3rd party graphics drivers may cause the system to bluescreen on startup with certain features enabled. Fortunately EMET allows for an opt-in approach as default so with care it should be safe enough.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
plonk@... 4th Nov 2010
The percentages are wrong. You are assuming that updating to the latest version will protect you. I suspect that everyone you logged has updated to the latest version at least once...yet they are still vulnerable. The problem isn't people not updating, it's coders and designers who keep putting vulnerabilities into the code. Even the latest and greatest probably has vulnerabilities...you just don't know about them yet. It's been that way for well over a decade, so why should this version be any different? If you think that updating makes you safe, think again.

As far as why so many haven't updated, Adobe is at fault there. Their update procedures are bizarre and broken for many of us. At my last (painless) Firefox update, I was told that my Flash plugin was out of date, and given a link to follow to update it. Fine. I took the link and ended up at Adobe's site. I hit the button to upgrade, and was taken to a manual install page with a bunch of instructions that didn't work, even after I downloaded the patch. That was when I decided to go back to earning a living rather than playing with broken update systems...and probably joined your brain food group.

Maybe someday Adobe will quit reinventing the wheel and use the same update systems that are working great for Firefox, Thunderbird, Linux, Windows, and pretty much every other company and software system I use. Until then, there will be lots of people with outdated versions of their software that are more vulnerable than the latest versions...which are vulnerable too of course.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
berriend 4th Nov 2010
Your stats may be skewed. I'm pretty sure that if users have Flash disabled, they will show up as out of date, even if their Flash installation is the latest version.
I leave Flash disabled by default, and if I hit a website that doesn't work without it, I decide how much I trust the site before letting Flash loose.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
Daddy Tadpole 4th Nov 2010
Perhaps website developers should just stop using Flash, or any other Adobe program for that matter.

I want to use my computer - without daily nags about patches & updates for this and that crapware.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
ryanstrassburg 4th Nov 2010
I tried Secunia and it is a neat tool, useful. Albeit it told me everything I already knew about Adobe AIR, Quicktime, Java, and iTunes being a little out of date... Quite honestly I just didn't want to update these when it asked me last time. Never the less, this is a great tool to check a system with.

As far as being vulnerable I am not so sure, surely there is a more adequate method of calculating this, btut I understand the logic. We should not forget that MOST infections occur with the online games hosted by Flash or used on Facebook -- though not sure why people would pay REAL MONEY to buy FAKE MONEY to buy VIRTUAL ITEMS (perplexed at the idocracy)...sorry, I digress.
0 Votes
+ -
RE: 35% of YOU are vulnerable to remote code execution!
Crashin Chris 5th Nov 2010
So what's a user to do? Every update they put out, contains critical bugs and can still be used for various drive-by malicious code executing cr.....stuff ... if anyone gets their Geek License revoked - IMHO - it's the staff that puts out useless updates.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix