Kaspersky Lab report: significant numbers of users never upgrade obsolete or vulnerable software
01 Feb 2013
Using data from the cloud-based Kaspersky Security Network, Kaspersky Lab examined the threat posed by software vulnerabilities. The research revealed that users of older and particularly dangerous editions of Oracle Java, Adobe Flash Player and Adobe Reader are highly reluctant to switch to newer and safer versions.
Kaspersky Lab has released the report ‘Evaluating the threat level of software vulnerabilities’, following careful analysis of the prevalence of security flaws found in various programs throughout 2012. As well as highlighting the most dangerous vulnerabilities, the research also assesses how enthusiastically users upgrade to newer versions of software once that update has been made available. This particular analysis revealed the disturbing fact that some old - or even obsolete - versions of popular programs remain on a significant number of PCs for months and even years.
Software vulnerabilities present a clear and obvious threat to both consumers and businesses. They are used as a key “burglary tool” to steal private data from users, conduct cyber-espionage on businesses and sabotage crucial industrial systems or government agencies. There are different ways to mitigate such risks: from software developers’ efforts to release updates on time and enhance the overall security of their products, to the most advanced protection technologies, such as Kaspersky Lab’s Automatic Exploit Prevention. The goal of the latest Kaspersky Lab research was to understand the actual threat posed by software vulnerabilities and evaluate user reaction to the release of a new version of a program which fixes dangerous security flaws. While the analysis focused mainly on the most dangerous software flaws, those known to be actively exploited by cybercriminals, the total number of vulnerabilities discovered in 2012 was an alarming 800+. Some of them, even though rarely found on users’ PCs, can be used as a gateway for a targeted attack.
Main Research Findings
- Analysis of data from more than 11 million users revealed over 132 million vulnerabilities discovered in various programs, an average of 12 vulnerabilities per user.
- Over 800 different vulnerabilities were discovered.
- Of these, just 37 were found on at least 10% of computers during at least one week of 2012. These vulnerabilities account for 70% of all detected software flaws.
- Adobe Shockwave and Flash Player, Apple iTunes/QuickTime, and Java were the software package with the highest number of frequently found software vulnerabilities.
- Only eight vulnerabilities out of those 37 are found in the widespread exploit packs used by cybercriminals:
- Five vulnerabilities in Oracle Java
- Two vulnerabilities in Adobe Flash Player
- One vulnerability in Adobe Reader
- Research on users’ willingness to switch to newer, safer software versions revealed that:
- Six weeks after the appearance of the latest version of Java (September-October 2012), only 28.2% of users managed to switch to the safest version, with over 70% leaving their system vulnerable to Java exploits.
- An obsolete 2010 version of Adobe Flash Player that could easily be exploited was found on an average of 10.2% computers, with almost no decline noted throughout 2012.
- A vulnerability discovered in Adobe Reader in December 2011 was found on 13.5% of computers, again, with no signs of decline.
Vyacheslav Zakorzhevsky, Vulnerability Research Expert
“What this research reveals is that releasing a fix for a security loophole shortly after discovery is not enough to make users and businesses secure. Inefficient update mechanisms have left millions of users of Java, Adobe Flash and Adobe Reader at risk. This, along with the whole series of critical vulnerabilities found in Java in 2012 and early 2013, highlights the need for the most up-to-date protection methods. Companies should take this problem very seriously, as security flaws in popular software have become the principle gateways for a successful targeted attack.”
The full report ‘Evaluating the threat level of software vulnerabilities’ is available at Securelist.com. You can also download the PDF version here.