80 per cent of users surf with vulnerable versions of Flash
According to the report, Flash Security Hole Advisory from security services provider Trusteer, the majority of users surf with vulnerable versions of Adobe's Flash, thereby making themselves excellent targets for criminals. Trusteer says that, of the 2.5 million systems monitored as part of the company's Rapport security service, around 80 per cent had a vulnerable version of Flash installed. Attackers could infect these computers with malware using crafted website-based Flash applets. Trusteer also found vulnerable versions of Adobe Reader on almost 84 per cent of the computers studied.
In Trusteer's opinion, the figures are due to the fact that Adobe's update procedure just doesn't work very well. Although users are informed when updates for Flash are available, the update notification does not flag up the urgency of installing security updates. Many users are clearly closing the notification without installing important updates. Trusteer say that for an application which is, according to Adobe's own figures, installed on 99 per cent of all PCs and is a well-documented point of entry for malware, this is unacceptable.
According to Trusteer, a better approach to this problem is that taken by applications such as Google's Chrome browser, which installs updates without requiring user confirmation, resulting in a very high patch rate. They also points out that Mozilla's Firefox has a similar high patch rate. Adobe only introduced a regular patch cycle for its Adobe Reader and Acrobat applications and a secure product life cycle (SPLC) for its products in May of this year. However, if the attention of users is not clearly drawn to the importance of applying the update – as Microsoft does with its system messages – the availability of regular updates is of little use.
Tools such as Secunia's Personal Software Inspector (PSI) reveal whether important components such as the Flash plug-in, Java or browser libraries are vulnerable and require updating. Since version 1.5, PSI offers a "Safe Browsing" option, which gives users an idea of how safe surfing on their system really is.
- Zero-day vulnerability in Adobe Flash Player, Reader and Acrobat, a report from The H Security.
- Adobe continues distributing insecure Reader, a report from The H Security.
- Adobe patches vulnerability in Reader and Acrobat, a report from The H Security.
- Adobe to release quarterly security updates, a report from The H Security.
- Study says silent updates enhance security, a report from The H Security.