ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Research: 80% of Web users running unpatched versions of Flash/Acrobat

By | August 25, 2009, 5:41am PDT

Summary: According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat. The company has also criticized Adobe by insisting that their update mechanism “does not meet the requirements of a [...]

According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat.

The company has also criticized Adobe by insisting that their update mechanism “does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals“, but is praising the update mechanism of Google’s Chrome and Firefox, whose silent updates close the window of opportunity for malicious attackers to take advantage of.

Trusteer’s research findings come a month after Secunia found out that Adobe is shipping an insecure version of Reader from its official site, justifying the action with the built-in updater, which apparently is not used by the 2.5 million users mentioned in the research, followed by an advice given in the SANS NewsBites newsletter, issue 61, that organizations should limit the use of Adobe products in order to minimize the attack surface.

Due to the high market penetration of Adobe’s products, it’s fairly logical to witness an increase of malicious exploitation of Adobe related vulnerabilities. However, there aren’t any web malware exploitation kits in the wild that are exclusively relying on Adobe-specific vulnerabilities. Instead, the exploits-mix that is served upon successful browser recognition attempts to exploit the most common applications found on a particular PC in order to increase the probability of successful infection.

Data published by Secunia two months ago, indicates the same trend that cybercriminals have been aware of for a while now, namely, that the average insecure program per PC rate is still high, with 3 insecure programs in the U.S on average, and 4 insecure programs per PC in Europe based on the company’s data. The company published similar findings two years, providing that an unpatched vulnerability is just as handy as a zero day one from the perspective of the cybercriminal who’s efficiently infecting hundreds of thousands of users by exploiting outdated/unpatched flaws.

Adobe’s products aren’t an exception, they’re targeted in between the rest of the vulnerabilities included in the exploits-mix. Don’t just make sure that you’re running the latest version of Flash and Reader, make sure that you’re running the latest versions of all the applications on your PC, before cybercriminals do the check for you.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Web, Truesteer, Spyware, Adware & Malware, Cyberthreats, Web Browsers, Security, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
27
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
birumut Updated - 29th Apr 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Thank goodness for regular updates from Adobe's RPM repository!
Zogg Updated - 25th Aug 2009
The repository ensures that all my 32 bit Flash and Reader installations are up-to-date. The native 64 bit Flash plugin is still "alpha", and I look forward to the day that is added to the repository too. But at least the appearance of a 32 bit update serves as a "heads up" to go check the 64 bit version as well.
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
securityboy 25th Aug 2009
Adobe's patching process isn't up to much when
compared with Redmond. However lets point people to
the Flash solution. It's easy... Here is what you need
to do:

* Download and use the Flash un-installer:
http://kb2.adobe.com/cps/141/tn_14157.html
* Reboot to clear out any left over ocx files.
* Reinstall the latest Flash Player:
http://www.adobe.com/software/flash/about/

Julian (ID Fraud Expert)
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
jagdogg1975@... 25th Aug 2009
Forget about every day users patching Adobe. The majority of users I do work for are running totally outdated version of the software (Reader). Adobe needs to scan the individual system to detect the version being run and either update adobe for the user or have a constant alert until they do update the version
0 Votes
+ -
Adobe's horrible "process"
bmgoodman 25th Aug 2009
How much time have I wasted having to update Adobe products on machines where users lack admin rights? Many, many hours. I especially hate their products that lack a cumulative patch. I'm STILL bothered by Acrobat Pro 7, that eventually required 7.0.1, 7.0.2, 7.0.3, 7.0.4, and 7.0.5 patches, with a reboot between each one! A good half hour lost per machine. Frankly, I'd love to dump most of Adobe's software until they improve the situation.

Of course, I don't let Microsoft off the hook completely. It's crazy that each company should develop its own update mechanism and oftentimes scheduler. There should be a single updater in Windows that other apps plug into. Scheduling should be done through that updater or perhaps task scheduler. Then everything installed could be viewed under Add/Remove Programs, along with associated patches and an update schedule.
0 Votes
+ -
Adobe Updates
kmbogus@... 25th Aug 2009
Adobe needs to understand and understand immediately if they do not come up with some way of allowing enterprises to manage updates to end-user's PCs without each of them accessing the internet individually they are going to lose the enterprise market. I'm in the process of researching alternatives to Adobe in every aspect of our enterprise and encourage all other directors and managers of enterprises to do so as well. The significant loss of market share should wake them up. I hope some Adobe representatives read this and understand the frustrations.
0 Votes
+ -
I doubt there are alternatives to Adobe Flash Player...
Grayson Peddie 25th Aug 2009
...unless you want Silverlight, but unfortunately, there are so much of content out there that requires Adobe Flash Player. sad
0 Votes
+ -
Hooking MS
tikigawd 26th Aug 2009
There should be a single updater in Windows that other apps plug into. Scheduling should be done through that updater or perhaps task scheduler. Then everything installed could be viewed under Add/Remove Programs, along with associated patches and an update schedule.

Pfft. Yes, because Microsoft needs yet another excuse for people to point fingers at them, blaming them for all PC ailments.

Adobe should keep their own house in order.
0 Votes
+ -
Re: Adobe's horrible process
cerving 10th Sep 2009
Not to mention the Internet bandwith on your circuit that's used up by hundreds (or maybe thousands) of users downloading 30 MB updates. This goes against good Internet security practice too, you generally do not want to allow users to download executable content from the web. That's why you need to get a good malware-filtering deep packet inspection firewall, along with a separate content filtering device. After you have that in place, you can get something like LANDesk to update your user's PCs to whatever version of the applications that you deem appropriate.

The average home PC user doesn't understand all of the expensive stuff that corporate IT departments have to put in place to make everything work properly. Setting up the auto-update mechanism in Adobe may be fine for one PC on a cable modem, but it isn't gonna work for 1,000 PCs at 25 different locations, all homing back to a 3-T1 Internet link.
0 Votes
+ -
Constantly bombarded w/updates
Net-Tech_z 25th Aug 2009
Adobe products are constantly being updated. It seems like every other day another piece of software on the computers I haven't disabled auto-updates on is asking me or telling me I have to download the latest and greatest followed by the obligatory reboot. And how are these users to tell the difference between the hourly updates and a virus or spy/adware package trying to be installed? I much prefer manual updates run by either the user or a tech once a month.
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
znetlol 25th Aug 2009
No wonder there are so many Bot-nets in the wild.
0 Votes
+ -
One reason more people haven't updated.
terry flores 25th Aug 2009
Adobe has horribly bloated their products like Acrobat Reader and Flash over the years. People are sticking with older versions that are leaner and take less time to start up, not to mention that newer versions "phone home" more often, causing firewall alarms and doubts in the minds of users.

I hope that Adobe replacements really take hold, I'm tired of dealing with their BS. I just downloaded Foxit the other day, it is incredibly fast compared to Reader.
0 Votes
+ -
Foxit Reader FTW!!!
Grayson Peddie 25th Aug 2009
I also have Foxit Reader. It's been years since I've never been using Adobe Acrobat Reader under Windows.
0 Votes
+ -
Foxit Follows Adobe In Open Vulnerabilities....
dunn@... 26th Aug 2009
Just look at the Secunia history on Foxit, 50% of the time when a vulnerability applies to AcroReader it also applies to Foxit but Foxit tends to have it open longer since it only finds out when it does a code inspection after AcroReader announces a vulnerability.

Both readers are almost as vulnerable....wake up and smell the malware.
0 Votes
+ -
Not only the programs
Michael Kelly 26th Aug 2009
The actual download and update processes have gotten more bloated, more tedious, and basically more annoying over the years. That's a big reason why a lot of people just ignore it.
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
mmrbm@... 26th Aug 2009
When I try to update, I am told that I can't because I use Mozilla Firefox as my browser. Pressure from Microsoft to get people to use THEIR browser?
0 Votes
+ -
This further demonstrates
Michael Kelly 26th Aug 2009
how badly the Windows ecosystem needs a centralized update mechanism for all programs, not just programs for a given vendor. MS would be wise to try to convince its third party developers to reach some sort of compromise as to how to work this out, then get it done.

It won't be easy with so many vendors (I won't name names, but we know who they are) who insist on using their update mechanisms as a vehicle for promoting other products. But doing that turns people off, and rather than uninstall the offending software people tend to just not update. And yes people need to be smarter than that, but every time something goes wrong in the Windows environment MS gets a black eye, even if it is not necessarily their fault. Centralizing the update mechanisms and keeping the focus on installing timely updates rather than the other BS will remove that threat and give MS many fewer undeserved black eyes.
0 Votes
+ -
Opening PDFs in a browser is arcane & how I got the latest Flash version
valvestate@... 26th Aug 2009
I never understood the practice of opening PDFs within a browser when they could be just as easily downloaded and viewed separately without slowing down browser performance. This would probably go a long way to make PDFs more secure also.

The last time I went to Google video, I got a message that I needed to update my Flash Player. This sort of backwards incompatibility seems like a reasonable solution to security issues.
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
cgrosse23 26th Aug 2009
It would help tremendously if updates were separated as security/critical vs just new stuff that will add cycles to your processor, services running and consumption of hard drive space. There are MANY people who do not have the financial wherewithall to upgrade to new computers every 2 or 3 years and technology is being designed assuming everyone has the latest and greatest.
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
bigbearking@... 26th Aug 2009
Why aren't there alternative flash and shockwave programs. I love foxit and surely do not like....aw heck with it 'I hate adobe'. I search at least weekly for replacements to all of their crap software. Software programmers...will you get on this one lol??
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
Ed999 26th Aug 2009
It is pointless for bloody journalists to whinge about "unpatched" systems, if all they do is give the useless advice "upgrade to latest version of Flash player". My PC is not powerful enough to run Flash Player 10 or higher, so I find that type of "advice" quite useless.
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
jimk_z 27th Aug 2009
flash updates arent that bad, acrobat on the other hand ugh. what a bloat fest acrobat has become.
0 Votes
+ -
OS-level update system for 3rd-party software? NO
cquirke 27th Aug 2009
Someone said...

"It's crazy that each company should develop its own update mechanism and oftentimes scheduler. There should be a single updater in Windows that other apps plug into"

...and someone else posted suggesting the same thing. But be careful what you wish for!

How would you screen what constitutes a valid software vendor? Where do you cut the line between a legit antivirus scanner that just isn't very good, and a fake scanner that does actually kill a few competing malware? Do you really want folks squirting code into your system, or trust every vendor's code submission to be malware-proof?

Else you open the channel to malware so that once it is active, it can "update" itself every hour to stay ahead of antivirus detection, just as patches try to stay ahead of exploits.

Even if you do close the service to a cartel of "legit" vendors, we already have trust issues with these - such as Apple shoving Safari as an "update" to iTunes, etc.

There's to real solution to code quality so poor that it needs constant updating. If code is so buggy we have to leave the system open to vendor-shoved updates, how can we trust the quality of these updates not to cause new problems?

0 Votes
+ -
Web users with XP Limited account
wboyer3635@... 27th Aug 2009
Here's a web vulnerability that appears to TOTALLY be Adobe's fault:
XP is a common OS. Home users, and some business users, will use a Limited account to restrict the malware's damage. PROBLEM: the latest Flash versions for 6 months will not update within the Limited account. The admin account allows a Flash update and then the Limited account stops running Flash.

This is a royal pain within some news sites and video in FaceBook. My system at home is an XP MCE 2005 [Media Center Edition] - so I'm not sure if that's the whole problem. Most software updates within the admin account are fixable within the limited account, but Flash is one of those STUBBORN applets that just will not coexist with XP.
0 Votes
+ -
What about Secunia?
Harris-E 27th Aug 2009
I run Secunia's Personal Software Inspector on my PC and find it generally useful and accurate. That said, it claims that I need a specific patch for Microsoft Powerpoint Viewer. However, when I download and run the MS patch they reference, the patch software says that it does not apply to the software currently installed on my computer. I do have Powerpoint installed and am completely up to date as far as the Microsoft Update website is concerned. Unless someone besides Secunia validates the accuracy of the evaluations, it is difficult to assess the usefulness of reports like this.
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
Clerkendweller 27th Aug 2009
Adobe Flash updates have additional complexity if you run more than one web browser. Your IE installation may be fully patched... but Firefox and Opera need to be done separately.
0 Votes
+ -
Adobe Flash problem
griprim12@... 17th Mar 2011
So what are we supposed to use that is secure . Give me a list of secure Flash player's and a replacement for Adobe reader ?? Either free from Cnet.com or a paid version ????
0 Votes
+ -
RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat
birumut Updated - 29th Apr 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix