Great Debate 11am ET/8am PT PC homebrewing and white-boxing: Dead or alive?

Topic: Enterprise Software

Zero Day readers, why aren't you patching Flash Player?

Summary: According to our statistics counter, the majority of you (security-savvy readers?) are very tardy in applying Flash Player updates.

Ryan Naraine

By for Zero Day |

Adobe's plan to rush out a fix for the latest Flash Player zero-day vulnerability got me thinking about patch adoption rates among ZDNet Zero Day readers.

According to our statistics counter, the majority of you (security-savvy readers?) are very tardy in applying Flash Player updates.

Here are the numbers for Flash Player installations from all visitors to this blog in October 2010.  Only 65% of you are running a fully updated version of Flash Player (10.1.85.3).

Every version of Flash Player marked as "Outdated" is vulnerable to remote code execution vulnerabilities that can be exploited via the Web to launch drive-by malware downloads (no extra click required).

Like I said, the readers of this blog are mostly security/computer savvy and on top of security issues.  If these readers are so tardy in applying patches for such a commonly targeted application, it's safe to assume the average mom-and-pop users are even further behind.

There really is no excuse to be running an outdated version of Flash.  You can use this link to check your Flash version.   If you're running Mozilla Firefox (33% of you), use the Plugin Check utility.

Here's a look at Zero Day readers that support Java, another huge target for malware attacks:

Frightening.

Topic: Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion

  • Patches come daily automatically with Ubuntu

    The zero day blog provides a good service.

    Still, I can't emphasize enough how important having an extra layer of security is.

    Ubuntu Linux comes with AppArmor and various profiles, including ones for Adobe and Firefox. If used, your App's session will be placed in a 'sandbox' so that even though there may be a zero-day that targets your platform, AppArmor stands in its way and stops all privilege escalation attempts.

    Your Ubuntu Canonical repository will automatically dispatch to your system any and all updates just as soon as they become available. In the meantime, your system is safe with AppArmor.

    Ubuntu Linux: The safest operating system on the planet.

    I stake my reputation on it.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    Reply Vote

    • RE: Zero Day readers, why aren't you patching Flash Player?

      @Dietrich T. Schmitz, Your Linux Advocate

      Actually, most *nix distros are pretty safe to use but Ubuntu doesn't fare so well in my list, I mean compared to OpenBSD, QNX, Arch or even openSUSE...
      [deXter]
      Reply Vote

    • RE: Zero Day readers, why aren't you patching Flash Player?

      @Dietrich T. Schmitz, Your Linux Advocate
      same old boring dialog again?
      shellcodes_coder
      Reply Vote

  • I recommend and use Secunia PSI

    http://secunia.com/vulnerability_scanning/personal/

    It will tell you if Java or Flash (and thousands of other programs) are out of date.
    NonZealot
    Reply Vote

    • May I recommend Flame Guard Gel?

      @NonZealot

      fyi,
      http://www.energetech.com/flameguard.htm
      Apply liberally to the scalp.
      [i]"Be safe in the knowledge your hair won't catch on fire. Be safe with Flame Guard"[/i]
      Dietrich T. Schmitz, ~ Your Linux Advocate
      Reply Vote

      • I LIKE CAKE

        @Dietrich T. Schmitz, Your Linux Advocate
        http://www.hanselman.com/blog/ILikeCakeCakemailNinjasOnFireAndOtherAnecdotes.aspx
        [i]any time anyone in any meeting said something that was far enough off topic or sufficiently non-sequiturial, someone would declare "I LIKE CAKE!"[/i]
        NonZealot
        Reply Vote

      • RE: Zero Day readers, why aren't you patching Flash Player?

        @Dietrich T. Schmitz, Your Linux Advocate
        Chiatzu
        Reply Vote

    • RE: Zero Day readers, why aren't you patching Flash Player?

      @NonZealot
      Windows since XP can do that too, but I've found it rather useless as most of the "updates" are unnecessary and so mundane they aren't worth fiddling with. Not to mention the occasional error or gotcha that conflicts with some programs. Windows does it wrong IMO. Always use the vendor for updates; lists are not trustworthy.
      twaynesdomain-22354355019875063839220739305988
      Reply Vote

      • Actually . . .

        @twaynesdomain

        What Secunia does is directs you to the vendor's website to install the update from there. It also looks around for old versions that need to be uninstalled. Because of this, I noticed that Whenever you get a Chrome update(as an example), it simply installs the program, but doesn't remove the old version's folder. You have to go in and manually remove the older version.
        JLHenry
        Reply Vote

  • Because then they wouldn't be able to honestly claim they didn't get...

    ...infected. They have to continue using older versions of software so they can claim Windows is insecure and provide examples. All the while leaving out critical information such as they are not patching.

    Seriously though...Adobe's update mechanism leaves a lot to be desired.
    ye
    Reply Vote

  • Because of other Adobe Software

    My husband uses Adobe Connect for work. At least in the past, whenever Java or Flash was updated (I forget which), Connect would quit working, saying it didn't support the new version. He couldn't update Connect, so he'd have to go downgrade, block all automatic updates, and wait until Connect was updated by IT. That could take a couple months. So now he's understandably unwilling to allow any updates like until he knows he has enough time to undo them if they break Connect.
    MichP
    Reply Vote

  • RE: Zero Day readers, why aren't you patching Flash Player?

    WHO told me I needed to update? IT did not. Adobe did not. Wonder why machines get infected? There is no clear way to understand when we need to update! At least Microsoft has auto update.
    davidmpaul
    Reply Vote

    • RE: Zero Day readers, why aren't you patching Flash Player?

      @davidmpaul I agree. They should have a non-intrusive hot-patching update facility. Flash is too vulnerable to leave unpatched for long durations.. even if they implement an update mechanism that's similar to Chrome, it would be much better than the present implementation.
      [deXter]
      Reply Vote

  • Linux 64 bit

    I have the latest release for 64 bit Linux on board, and the test says I'm vulnerable.

    So it's not my fault, adobe hasn't updated the player yet.

    BTW I assume you use google analytics to glean the data you provide? If that's the case I'm not included in your stats, g-a is normally the first thing I disallow any scripts from and blacklist upon a clean install of firefox.

    I also have a user agent switcher and often use different agent reporting, eg IE7 on vista... whereas I really have firefox on Linux 2.6.34.6
    pgit
    Reply Vote

    • RE: Zero Day readers, why aren't you patching Flash Player?

      @pgit You may want to check that you really have the latest plugin. I just ran the check with the latest 64-bit plugin under Firefox 4b6 on Fedora 14 and it passed. The latest 64-bit Linux Flash plugin is "Square" preview 2.

      I suspect the biggest burden keeping people on older Flash versions is Adobe's failure to provide quick, no-interaction-required automatic updates for them. If it requires user action, you can be sure a good percentage of people will fail to do it, even among the tech-savvy.
      patrickwbarnes
      Reply Vote

      • 32 bit lingering...

        @patrickwbarnes Thanks for the nudge. I looked into it and from a troubleshooting episode some time back I had a local plugins folder under /home that was overriding the system plugins under /usr/lib64. It was an older version, way old.

        Glad I mentioned it, and you prodded, thanks.
        pgit
        Reply Vote

  • because

    i never installed the piece of crap in the first place
    g_keramidas@...
    Reply Vote

  • RE: Zero Day readers, why aren't you patching Flash Player?

    Because Adobe won't let you update without installing other unwanted software.
    twooters
    Reply Vote

  • RE: Zero Day readers, why aren't you patching Flash Player?

    I run a program on my browser (Safari) which blocks flash unless I click a symbol (on the page where a flash item is). It saves me HUGE amounts of grief, & it's actually rare I need flash - and then I only click from a trusted source. So I don't update that often (I was only 1 patch back when I checked the links provided).
    kaybradley
    Reply Vote

    • RE: Zero Day readers, why aren't you patching Flash Player?

      @kaybradley Is that a Safari feature, an add-in, or a 3rd party program?
      twaynesdomain-22354355019875063839220739305988
      Reply Vote
CNET Join | Log In | Privacy | Cookies Close