If You Only Install One Security Update this Month, Make Sure it's Adobe Flash ® !
A zero-day vulnerability discovered in Adobe Flash Player / AIR 20 could possibly be used to exploit end of life version 19 - found on 73 percent of all private US PCs.
Copenhagen & Itasca, IL - January 19, 2016 Secunia Research at Flexera Software, a leading provider of software vulnerability intelligence, has published country reports covering Q4 2015 for 14 countries. The reports provide a status on vulnerable software products on private PCs in those countries, listing the vulnerable applications and ranking them by the extent to which they expose those PCs to hackers.
Key findings in the US Country Report include:
- 73 percent of US users had Adobe Flash Player 19 installed. This version is end-of-life and therefore no longer receives security updates from Adobe. Vulnerabilities in newer versions are used to exploit older versions. It is therefore important to remember to remove end-of-life products from your PC.
- 12.2% of the non-Microsoft programs on private US PCs were unpatched in Q4. Only 4.4 percent of Microsoft® programs were unpatched. US users have 76 applications installed on average, from 27 different vendors. 32 of the 76 applications - 42 percent - are Microsoft applications.
- 9.9 percent of US private users had not patched the Windows® operating system on their PC (covered by the report are Windows Vista, Windows 7, Windows 8, Windows 10).
The zero-day vulnerability in Adobe Flash disclosed on December 28, 2015, was rated "Extremely Critical" by Secunia Research, because it can be triggered from remote and can execute arbitrary code. The vulnerability can possibly be used to exploit older versions of Adobe Flash Player /AIR, too, including end-of-life version 19, which is found on 73 percent of all private US PCs, as the US Country Report documents.
"The vulnerability discovered in Adobe Flash Player/ AIR 20 in December makes it even more important than usual to keep Adobe Flash Player up to date and get rid of end-of-life versions," said Kasper Lindgaard, Director of Secunia Research at Flexera Software. "Adobe Flash is the most popular application within exploit kits, because it is so widely used and can therefore be used to leverage access to different platforms and both private and corporate users. While security-aware organizations know not to allow Adobe Flash Player anywhere near their business critical systems, private PC users tend not to be quite so mindful."
Non-Microsoft programs are poorly patched on private PCs
On the average private US PC, 76 applications are installed from a total of 27 different vendors. One vendor, Microsoft, is on average the producer of 32 of those applications. With automated updates and a well-established security patch process, Microsoft makes it easy for private users to stay patched: All that is required on a private PC is to keep the auto-update feature in the Microsoft Update center switched on - which is the default setting. This user-friendly approach to security is one explanation for why only 4.4 percent of Microsoft applications on private PCs are unpatched.
The patch status of the remaining 44 non-Microsoft applications is a different story, though. Three times as many - 12.2 percent - of these applications are unpatched. This difference is mainly due to the fact that 26 different vendors are behind those 44 applications, and each of those vendors have its own update mechanism. Essentially, this means that users have to familiarize themselves with 26 different update mechanisms and install the updates every time they become available.
To help users stay secure Flexera Software offers the Personal Software Inspector (formerly Secunia PSI 3.0), a free computer security scanner which identifies software applications that are insecure and in need of security updates. It has been downloaded by over 8 million PC users globally to detect vulnerable and outdated programs and plug-ins.
The 14 Country Reports are based on data from scans by the Personal Software Inspector between January 1, 2015 and December 31, 2015.
Learn more about: