A zero-day vulnerability discovered in Adobe Flash Player / AIR 20 could possibly be used to exploit end of life version 19 – found on 78 percent of all private US PCs.
Secunia Research at Flexera Software, a leading provider of software vulnerability intelligence, has published country reports covering Q4 2015 for 14 countries. The reports provide a status on vulnerable software products on private PCs in those countries, listing the vulnerable applications and ranking them by the extent to which they expose those PCs to hackers.
Key findings in the UK Country Report include:
- 78 percent of UK users had Adobe Flash Player 19 installed. This version is end-of-life and therefore no longer receives security updates from Adobe. Vulnerabilities in newer versions are used to exploit older versions. It is therefore important to remember to remove end-of-life products from your PC.
- 11.4 percent of the non-Microsoft programmes on private UK PCs were unpatched in Q4. Only 4.1 percent of Microsoft® programmes were unpatched. UK users have 74 applications installed on average, from 26 different vendors. 31 of the 74 applications – nearly 42 percent – are Microsoft applications.
- 8.0 percent of UK private users had not patched the Windows® operating system on their PC (covered by the report are Windows Vista, Windows 7, Windows 8, Windows 10).
The zero-day vulnerability in Adobe Flash disclosed on December 28, 2015, was rated “Extremely Critical” by Secunia Research, because it can be triggered from remote and can execute arbitrary code. The vulnerability can possibly be used to exploit older versions of Adobe Flash Player /AIR, too, including end-of-life version 19, which is found on 78 percent of all private UK PCs, per the UK Country Report document.
“The vulnerability discovered in Adobe Flash Player/ AIR 20 in December makes it even more important than usual to keep Adobe Flash Player up to date and get rid of end-of-life versions,” said Kasper Lindgaard, Director of Secunia Research at Flexera Software. “Adobe Flash is the most popular application within exploit kits, because it is so widely used and can therefore be used to leverage access to different platforms and both private and corporate users. While security-aware organisations know not to allow Adobe Flash Player anywhere near their business critical systems, private PC users tend not to be quite so mindful.”
Non-Microsoft programmes are poorly patched on private PCs
On the average private UK PC, 74 applications are installed from a total of 26 different vendors. One vendor, Microsoft, is on average the producer of 31 of those applications. With automated updates and a well-established security patch process, Microsoft makes it easy for private users to stay patched: All that is required on a private PC is to keep the auto-update feature in the Microsoft Update center switched on – which is the default setting. This user-friendly approach to security is one explanation for why only 4.1 percent of Microsoft applications on private PCs are unpatched.
The patch status of the remaining 43 non-Microsoft applications is a different story, though. Nearly three times as many – 11.4 percent – of these applications are unpatched. This difference is mainly due to the fact that 25 different vendors are behind those 43 applications, and each of those vendors has its own update mechanism. Essentially, this means that users have to familiarise themselves with 25 different update mechanisms and install the updates every time they become available.
To help users stay secure Flexera Software offers the Personal Software Inspector (formerly Secunia PSI 3.0), a free computer security scanner which identifies software applications that are insecure and in need of security updates. It has been downloaded by over 8 million PC users globally to detect vulnerable and outdated programs and plug-ins.