Java, Reader and Flash are most-exploited Windows programs

Java, Reader and Flash are most-exploited Windows programs

Summary: A new long-term study by malware research group AV-Test shows that Adobe's Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware.

SHARE:
16

From the year 2000 through today, Java, Adobe Reader and Flash were responsible for 66% of the vulnerabilities exploited by malware on Windows, according to a new study by research group AV-Test Institute.

The study reinforces the well-known rule that keeping applications software up to date is of critical importance for system security. The study does not indicate how many of the exploits were active when the vulnerabilities were unpatched, but such exploits are undoubtedly a small percentage of the total.

ranking_sw_by_exploits_en
The ranking of insecure software according to the number of known exploit versions: A large number of vulnerabilities meant that Java, Adobe Reader and Flash were responsible for 66 percent of the exploit versions recorded between 2000 and 2013. Although other groups were also recorded, they are not presented in the ranking shown above.

The long time span of the study may make it more of historical interest than practical value. Within the last five to ten years both Adobe and Microsoft have improved their software development processes lowering the overall number of vulnerabilities and the severity of those that get through. Current versions of Windows and both Microsoft and Adobe applications, are far more secure than in 2000, or even 2008.

The same is not as true of Java, which is the biggest current problem of the programs tracked by the study, in part because so many users still have old versions of Java installed on their systems.

Other user practices, such as running as a standard user rather than as Administrator, also limit the severity of application exploits. This was a difficult practice to employ with Windows XP, but in current versions of Windows it is far more practical to run as standard user.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Used to Like Java

    "so many users still have old versions of Java installed on their systems."

    Is it no wonder? Their versions are barely backwards compatible. We wanted to upgrade but the latest version broke our programs with a hastily implemented security model.

    What on earth is Adobe doing with Reader? It's a document format. It should not have the same extent of vulnerabilities as a full fledged programming environment. Maybe, we should switch back to TXT files which have fewer loopholes.
    kurio99
    • switch back to TXT

      Just switch to Sumatra, Foxit or anything else than Reader.
      Mr.SV
    • java is sometimes good and very often hurting

      java is very often hurting brutally and sometimes good. Monsters use it as a toy of terror.
      mercy730
  • Remove Java plugin

    unless you absolutely have to play card games on Pogo. It would help if the java updater/installer would actually remove old versions of java.
    zmudd
    • Problem with the updater...

      Sun has a track record of bundling crapware with their Java updates. Oh, you can opt out but they are included by default. Once I saw OpenOffice included with a Java update. For this reason many companies that install Java turn off the updater and update manually (if they do at all).
      Rann Xeroxx
      • NEVER seen anything "bundled" with a Java update.

        #1- Sun doesn't exist anymore. Java is owned by Oracle.

        #2- A banner advertizing OpenOffice.org is nowhere near your ignorant claim that they are bundling crapware with updates.
        wackoae
        • ORACLE java

          How about ASK toolbar? Never saw it with Java updates checked by default?
          anusinovich@...
  • I say . . .

    Remove Java (client), Reader, and flash from all computers! They have had way too many years to secure those products. Their ineptitude is almost criminal.
    rmark@...
  • Old Java Version

    Any businesses dealing with Lowes are forced to use an old Java 6 version in order to comply with their outdated programming leaving manufacturers and suppliers vulnerable to the extreme.
    FHoruzek
    • Public updates have ended for Java SE 6

      However, enterprises have the option to purchase continued updates for EOL's Java SE versions, such as Java SE 6:

      "Oracle Java SE Support
      http://www.oracle.com/us/technologies/java/standard-edition/support/overview/index.html

      Just note that the current minimum order quantity is 2000 at $5 U.S. each. That's $10,000 U.S. minimum. Definitely not consumer or small business-friendly.
      Rabid Howler Monkey
  • the real culprit is windoze

    migrate to Linux and you'll be fine, regardless of the apps you ran, because the FOSS people care.
    LlNUX Geek
    • Java, Flash Player and Reader are all cross-platform, including Linux

      And so are the vulnerabilities. :)

      Sometimes it's nice to use an OS with a very small market share as the miscreants behind mass malware attacks aren't particularly interested in the GNU/LInux and BSD desktops.
      Rabid Howler Monkey
  • Java, Adobe, Apple

    Three manufacturers whose software you should never run on a Windows PC. The basic Win 7/8 box is pretty reliable if you avoid the big three problem vectors. The first two just kill things, bad installations of Apple stuff make things really slow.
    mswift@...
  • Java, Adobe, Apple

    Three manufacturers whose software you should never run on a Windows PC. The basic Win 7/8 box is pretty reliable if you avoid the big three problem vectors. The first two just kill things, bad installations of Apple stuff make things really slow.
    mswift@...
    • Too ignorant to know what your are talking about

      #1- Not one single Apple related product is in the list.

      #2- Java is a language. Not a "manufacturer"

      #3- Adobe is a SOFTWARE COMPANY, not a manufacturer either.
      wackoae
  • Uh, is it really SUCH an unknown??

    EXCEPT apparently to the companies who claim to provide us with PROTECTION against the exploits???? I think just about every 'doze online user has been hit with one, or more, exploit(s), yet for some unknown reason none of the "protectors" have managed to provide ANY protection against these exploits.
    What's wrong with this picture????
    Willnott