Research: 80% of Web users running unpatched versions of Flash/Acrobat

Research: 80% of Web users running unpatched versions of Flash/Acrobat

Summary: According to a research published by Trusteer earlier this month, 79.5% of the 2.

SHARE:

According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat.

The company has also criticized Adobe by insisting that their update mechanism "does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals", but is praising the update mechanism of Google's Chrome and Firefox, whose silent updates close the window of opportunity for malicious attackers to take advantage of.

Trusteer's research findings come a month after Secunia found out that Adobe is shipping an insecure version of Reader from its official site, justifying the action with the built-in updater, which apparently is not used by the 2.5 million users mentioned in the research, followed by an advice given in the SANS NewsBites newsletter, issue 61, that organizations should limit the use of Adobe products in order to minimize the attack surface.

Due to the high market penetration of Adobe's products, it's fairly logical to witness an increase of malicious exploitation of Adobe related vulnerabilities. However, there aren't any web malware exploitation kits in the wild that are exclusively relying on Adobe-specific vulnerabilities. Instead, the exploits-mix that is served upon successful browser recognition attempts to exploit the most common applications found on a particular PC in order to increase the probability of successful infection.

Data published by Secunia two months ago, indicates the same trend that cybercriminals have been aware of for a while now, namely, that the average insecure program per PC rate is still high, with 3 insecure programs in the U.S on average, and 4 insecure programs per PC in Europe based on the company's data. The company published similar findings two years, providing that an unpatched vulnerability is just as handy as a zero day one from the perspective of the cybercriminal who's efficiently infecting hundreds of thousands of users by exploiting outdated/unpatched flaws.

Adobe's products aren't an exception, they're targeted in between the rest of the vulnerabilities included in the exploits-mix. Don't just make sure that you're running the latest version of Flash and Reader, make sure that you're running the latest versions of all the applications on your PC, before cybercriminals do the check for you.

Topics: Browser, Enterprise Software, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Thank goodness for regular updates from Adobe's RPM repository!

    The repository ensures that all my 32 bit Flash and Reader installations are up-to-date. The native 64 bit Flash plugin is still "alpha", and I look forward to the day that is added to the repository too. But at least the appearance of a 32 bit update serves as a "heads up" to go check the 64 bit version as well.
    Zogg
  • RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat

    Adobe's patching process isn't up to much when
    compared with Redmond. However lets point people to
    the Flash solution. It's easy... Here is what you need
    to do:

    * Download and use the Flash un-installer:
    http://kb2.adobe.com/cps/141/tn_14157.html
    * Reboot to clear out any left over ocx files.
    * Reinstall the latest Flash Player:
    http://www.adobe.com/software/flash/about/

    Julian (ID Fraud Expert)
    securityboy
  • RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat

    Forget about every day users patching Adobe. The majority of users I do work for are running totally outdated version of the software (Reader). Adobe needs to scan the individual system to detect the version being run and either update adobe for the user or have a constant alert until they do update the version
    jagdogg1975@...
  • Adobe's horrible "process"

    How much time have I wasted having to update Adobe products on machines where users lack admin rights? Many, many hours. I especially hate their products that lack a cumulative patch. I'm STILL bothered by Acrobat Pro 7, that eventually required 7.0.1, 7.0.2, 7.0.3, 7.0.4, and 7.0.5 patches, with a reboot between each one! A good half hour lost per machine. Frankly, I'd love to dump most of Adobe's software until they improve the situation.

    Of course, I don't let Microsoft off the hook completely. It's crazy that each company should develop its own update mechanism and oftentimes scheduler. There should be a single updater in Windows that other apps plug into. Scheduling should be done through that updater or perhaps task scheduler. Then everything installed could be viewed under Add/Remove Programs, along with associated patches and an update schedule.
    bmgoodman
    • Adobe Updates

      Adobe needs to understand and understand immediately if they do not come up with some way of allowing enterprises to manage updates to end-user's PCs without each of them accessing the internet individually they are going to lose the enterprise market. I'm in the process of researching alternatives to Adobe in every aspect of our enterprise and encourage all other directors and managers of enterprises to do so as well. The significant loss of market share should wake them up. I hope some Adobe representatives read this and understand the frustrations.
      TheDingoAteMyBaby
      • I doubt there are alternatives to Adobe Flash Player...

        ...unless you want Silverlight, but unfortunately, there are so much of content out there that requires Adobe Flash Player. :(
        Grayson Peddie
    • Hooking MS

      [i]There should be a single updater in Windows that other apps plug into. Scheduling should be done through that updater or perhaps task scheduler. Then everything installed could be viewed under Add/Remove Programs, along with associated patches and an update schedule.[/i]

      Pfft. Yes, because Microsoft needs yet another excuse for people to point fingers at them, blaming them for all PC ailments.

      Adobe should keep their own house in order.
      tikigawd
    • Re: Adobe's horrible process

      Not to mention the Internet bandwith on your circuit that's used up by hundreds (or maybe thousands) of users downloading 30 MB updates. This goes against good Internet security practice too, you generally do not want to allow users to download executable content from the web. That's why you need to get a good malware-filtering deep packet inspection firewall, along with a separate content filtering device. After you have that in place, you can get something like LANDesk to update your user's PCs to whatever version of the applications that you deem appropriate.

      The average home PC user doesn't understand all of the expensive stuff that corporate IT departments have to put in place to make everything work properly. Setting up the auto-update mechanism in Adobe may be fine for one PC on a cable modem, but it isn't gonna work for 1,000 PCs at 25 different locations, all homing back to a 3-T1 Internet link.
      cerving
  • Constantly bombarded w/updates

    Adobe products are constantly being updated. It seems like every other day another piece of software on the computers I haven't disabled auto-updates on is asking me or telling me I have to download the latest and greatest followed by the obligatory reboot. And how are these users to tell the difference between the hourly updates and a virus or spy/adware package trying to be installed? I much prefer manual updates run by either the user or a tech once a month.
    Net-Tech_z
  • RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat

    No wonder there are so many Bot-nets in the wild.
    znetlol
  • One reason more people haven't updated.

    Adobe has horribly bloated their products like Acrobat Reader and Flash over the years. People are sticking with older versions that are leaner and take less time to start up, not to mention that newer versions "phone home" more often, causing firewall alarms and doubts in the minds of users.

    I hope that Adobe replacements really take hold, I'm tired of dealing with their BS. I just downloaded Foxit the other day, it is incredibly fast compared to Reader.
    terry flores
    • Foxit Reader FTW!!!

      I also have Foxit Reader. It's been years since I've never been using Adobe Acrobat Reader under Windows.
      Grayson Peddie
      • Foxit Follows Adobe In Open Vulnerabilities....

        Just look at the Secunia history on Foxit, 50% of the time when a vulnerability applies to AcroReader it also applies to Foxit but Foxit tends to have it open longer since it only finds out when it does a code inspection after AcroReader announces a vulnerability.

        Both readers are almost as vulnerable....wake up and smell the malware.
        dunn@...
    • Not only the programs

      The actual download and update processes have gotten more bloated, more tedious, and basically more annoying over the years. That's a big reason why a lot of people just ignore it.
      Michael Kelly
  • RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat

    When I try to update, I am told that I can't because I use Mozilla Firefox as my browser. Pressure from Microsoft to get people to use THEIR browser?
    mmrbm@...
  • This further demonstrates

    how badly the Windows ecosystem needs a centralized update mechanism for all programs, not just programs for a given vendor. MS would be wise to try to convince its third party developers to reach some sort of compromise as to how to work this out, then get it done.

    It won't be easy with so many vendors (I won't name names, but we know who they are) who insist on using their update mechanisms as a vehicle for promoting other products. But doing that turns people off, and rather than uninstall the offending software people tend to just not update. And yes people need to be smarter than that, but every time something goes wrong in the Windows environment MS gets a black eye, even if it is not necessarily their fault. Centralizing the update mechanisms and keeping the focus on installing timely updates rather than the other BS will remove that threat and give MS many fewer undeserved black eyes.
    Michael Kelly
  • Opening PDFs in a browser is arcane & how I got the latest Flash version

    I never understood the practice of opening PDFs within a browser when they could be just as easily downloaded and viewed separately without slowing down browser performance. This would probably go a long way to make PDFs more secure also.

    The last time I went to Google video, I got a message that I needed to update my Flash Player. This sort of backwards [i]in[/i]compatibility seems like a reasonable solution to security issues.
    valvestate@...
  • RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat

    It would help tremendously if updates were separated as security/critical vs just new stuff that will add cycles to your processor, services running and consumption of hard drive space. There are MANY people who do not have the financial wherewithall to upgrade to new computers every 2 or 3 years and technology is being designed assuming everyone has the latest and greatest.
    cgrosse23
  • RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat

    Why aren't there alternative flash and shockwave programs. I love foxit and surely do not like....aw heck with it 'I hate adobe'. I search at least weekly for replacements to all of their crap software. Software programmers...will you get on this one lol??
    bigbearking@...
  • RE: Research: 80% of Web users running unpatched versions of Flash/Acrobat

    It is pointless for bloody journalists to whinge about "unpatched" systems, if all they do is give the useless advice "upgrade to latest version of Flash player". My PC is not powerful enough to run Flash Player 10 or higher, so I find that type of "advice" quite useless.
    Ed999