Most Adobe users still open to recent exploits

Eight out of ten users of Adobe's Acrobat Reader and Flash have still to update themselves to protect against critical security vulnerabilities that hit the software two weeks ago.

According to figures from banking security company Trusteer, ninety-eight percent of its 2.5 million UK and US banking customer use the Adobe's Flash browser plug-in software, but that only 79.5 percent of these users had patched themselves against the latest vulnerabilities. The figure for Acrobat Reader was 83.5 percent.

In the case of Reader, that means updating to version 9.1.3, and for Flash, version 10.0.32.18, banishing older versions that are known to have been targeted by exploits since late July.

At first sight, the news appears to give some solace to Adobe, which has faced heavy criticism that it has been complacent in the frequency and design of recent security patches.

Until the company's most recent patch of 31 July, Acrobat and Flash users had still been exposed to real-world exploits against those programs for up to a week before that date, an issue which was brought to the company's attention by several security companies. One company, Secunia, had also pointed out that its automated updating of previous versions of Acrobat wasn't happening fast enough to protect users against rogue PDF attacks.

On the other hand, that users have not been updating their software even when a patch is available, could be interpreted as indicating that the issue of software vulnerability still isn't being taken seriously.Trusteer's researchers dismiss this, pointing out that other companies manage much higher patch penetration rates.

"Adobe's software update mechanism does not meet the requirements of a system that is usedby 99 percent of users on the Internet and is highly targeted by criminals," says the company's advisory. "In comparison, Google Chrome and Mozilla Firefox typically achieve an update rate close to 90 percent and 80 percent respectively within one week of releasing an update."

Adobe needs to overhaul its automatic patching design. "Targeting Flash and Acrobat vulnerabilities is extremely efficient since it enables criminals to target 99 percent of Internet users. By comparison, targeting vulnerabilities in Internet Explorer only reaches approximately 65 percent of Internet users. While Firefox-based attacks only reach 30 percent." Or, put more bluntly, Adobe's software is just a bigger and easier target.

Adobe's Brad Arkin, director of product security and privacy, lists forthcoming improvements to its patching design in a blog on the topic.

Adobe's next quarterly patch update for Acrobat and Reader is due on Tuesday, 13 October.