Secunia Quarterly Country Report: PDF Readers are Left Wide Open to Attacks on Private US PCs
Copenhagen, Denmark - April 29, 2015 Secunia, a leading provider of IT security solutions for vulnerability management, today published its latest batch of country reports for a total of 15 countries, including the US. The data in the US report shows that unpatched, vulnerable PDF readers are a big security issue for private PC users; that 14% of PC users in the US (up from 12.9% last quarter) have an unpatched operating system, and that Oracle Java yet again tops the list of applications exposing PCs to security risks.
Key findings in the US report include:
- Adobe Reader 10 and 11 come in at number three and four on the Most Exposed List: Adobe Reader 10 with a 25% market share, 39 vulnerabilities and unpatched on 65% of PCs; Adobe Reader 11 with a 55% market share, 40 vulnerabilities and unpatched on 18% of PCs.
- Oracle’s Java JRE 7 tops the list as the most exposed application on PCs in the US. With a market share of 54%, 77% of users have not installed the latest updates, despite 101 reported vulnerabilities.
- 1 in 20 programs on the average US PC have reached end-of-life, meaning they are no longer supported by the vendor and do not receive security updates. Adobe Flash Player, one of the end-of-life applications, is still installed on no less than 78% of the PCs.
- Other applications in the top 10 include Apple QuickTime, Microsoft Internet Explorer and uTorrent for Windows.
Secunia’s annual Vulnerability Review, published in March, identified that a total of 85% private users worldwide have a version of Adobe Reader installed on their PCs. The US report for Q1 corroborates the number. Kasper Lindgaard, Director of Research and Security at Secunia, comments on the issue: “It is worrying that, with such a high market share, one in five US users fail to patch their Adobe PDF reader. Considering the fact that PDF documents are a prominent attack vector used by hackers to gain entry into IT systems, users put themselves, and any system they are connected to, at risk by neglecting the security risk the popular reader represents when not maintained. It is paramount that users remember to patch their PDF readers, and that corporate IT teams have procedures in place to update all PDF readers on devices that are in any way connected to the company infrastructure,” says Lindgaard.
Vendors’ security updates are readily available; however, the average US user must master 27 different update mechanisms to ensure the latest patches are regularly applied. To simplify this process Secunia recommends users download its free Secunia PSI security tool, which has already been downloaded by more than 8 million private individuals globally to detect vulnerable programs and plug-ins. Once installed it can help PC users automatically patch vulnerable programs and stay secure. For patch management in a corporate environment, IT security teams can also subscribe to the Secunia CSI.
Secunia’s Q1 Country Reports are averages based on scans of PCs by the Secunia PSI between January 1 and March 31, 2015. It is safe to assume that Secunia PSI users are more secure than the average PC user, and therefore these figures can be considered conservative estimates.