PDF Readers are Left Wide Open to Attacks on Private US PCs

By   ISBuzz Team
Writer , Information Security Buzz | May 06, 2015 05:05 pm PST

Secunia, a leading provider of IT security solutions for vulnerability management, today published its latest batch of country reports for a total of 15 countries, including the US. The data in the US report shows that unpatched, vulnerable PDF readers are a big security issue for private PC users; that 14% of PC users in the US (up from 12.9% last quarter) have an unpatched operating system, and that Oracle Java yet again tops the list of applications exposing PCs to security risks.

The country report documents the state of security among PC users in the USA, based on data from scans by the Secunia Personal Software Inspector (PSI), in the first three months of 2015. The security of a PC is significantly affected by the number and type of applications installed on it, and the extent to which these programs are patched.

Key findings in the US report include:

  • Adobe Reader 10 and 11 come in at number three and four on the Most Exposed List. Adobe Reader 10 with a 25% market share, 39 vulnerabilities and unpatched on 65% of PCs. Adobe Reader 11 with a 55% market share, 40 vulnerabilities and unpatched on 18% of PCs.
  • Oracle’s Java JRE 7 tops the list as the most exposed application on the US PCs. With a market share of 54%, 77% of users have not installed the latest updates, despite 101 reported vulnerabilities.
  • 1 in 20 programs on the average US PC have reached end-of-life, meaning they are no longer supported by the vendor and do not receive security updates. Adobe Flash Player, one of the end-of-life applications, is still installed on no less than 78% of the PCs.
  • Other applications in the top 10 include Apple QuickTime, Microsoft Internet Explorer and uTorrent for Windows.

Secunia’s annual Vulnerability Review published in March, identified that a total of 85% private users worldwide have a version of Adobe Reader installed on their PCs. The US report for Q1 corroborates the number.

Kasper Lindgaard, Director of Research and Security at Secunia, comments on the issue:

“It is worrying that, with such a high market share, one in five US users fail to patch their Adobe PDF reader. Considering the fact that PDF documents is a prominent attack vector used by hackers to gain entry into IT systems, users put themselves and any system they are connected to at risk, by neglecting the security risk the popular reader represents when not maintained. It is paramount that users remember to patch their PDF readers, and that corporate IT teams have procedures in place to update all PDF readers on devices that are in any way connected to the company infrastructure,” says Lindgaard.

Vendors’ security updates are readily available; however, the average US user must master 27 different update mechanisms to ensure the latest patches are regularly applied. To simplify this process Secunia recommends users download its free Secunia PSI security tool, which has already been downloaded by more than 8 million private individuals globally to detect vulnerable programs and plug-ins. Once installed it can help PC users automatically patch vulnerable programs and stay secure.  For patch management in a corporate environment, IT security teams can also subscribe to the Secunia CSI.

Secunia’s Q1 Country Reports are averages based on scans of PCs by the Secunia PSI between January 1 and March 31, 2015. It is safe to assume that Secunia PSI users are more secure than the average PC user, and therefore these figures can be considered conservative estimates.

To download the report, please visit HERE

About Secunia

Founded in 2002, Secunia is a leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.

Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.

For more information, please visit secunia.com.