According to a report from Qualys, close to 80% of Web surfers are vulnerable to attacks due to vulnerable plug-ins installed in their browsers.The company's findings were presented at the RSA security conference this week and are based on data gathered by its free BrowserCheck scanner.
Qualys BrowserCheck scans browser installations for outdated plugins and other vulnerable software that might influence their security.
Depending on operating system the tool can check the version of the browser itself, as well as Adobe Flash Player, Adobe Reader, Adobe Shockwave Player, Java Runtime Environment, Apple Quicktime, BEA JRockit, DivX Web Player, Foxit Reader, Flip4Mac Windows Media plugin, Microsoft Silverlight, Microsoft Windows Media Player, Novell Moonlight, Real Player, Totem Media Player, VLC Media Player, Yahoo! BrowserPlus and the Windows Presentation Foundation plugin.
As much as 47% users who ran BrowserCheck were on Windows XP, while 32% were using Windows 7. Meanwhile, 36% performed from the scan Internet Explorer 8 and 34% from Firefox 3.6.
The most commonly installed plugin was Flash, being found on 97% of computers, and it was closely followed by Windows Media Player, with a rate of 95%. Adobe Reader and Java Runtime followed, both with around 80%, while Silverlight completed the top five with 65%.
The security stats [pdf] showed that between 25% and 30% users were missing security updates for the browser themselves. Java was deemed the most vulnerable plugin with over 40% of installations being outdated and Adobe Reader followed with 32%.
Quicktime and Flash were almost on par with 25% and 24%, respectively, while Shockwave was not far behind with 21%.
The fact that Java has the highest number of outdated installations is reflected in attacks, drive-by download kits showing Java exploits as having the highest success rate.
This suggests that Java's updater could use an overhaul as it's clearly not doing its job properly. Adobe Reader used to have the same problem, but Adobe listened to critics and made improvements.
That is probably the reason why two months after launch, Adobe Reader X, the latest version of the program which comes with sandboxing technology, had an adoption rate of over 60%.
If things continue down this path, browser vendors might have to take the issue into their own hands and force users to update plugins. Google is already working on a system for Chrome to automatically disable outdated plugins.