Six in Ten Users Have Vulnerable Adobe Reader Versions Installed

According to an analysis performed by Czech antivirus vendor AVAST Software one in every ten users is running an unpatched version of Adobe Reader.

The company's test base is large and very diverse, avast! Free Antivirus being one of the most popular antivirus products in the world with over 131 million active users.

The security company claims that 40% of people have the newest Adobe Reader X or a fully patched version of the PDF reader application installed.

Meanwhile, 20% of users are running unpatched versions Adobe Reader 8.x or older. It's worth noting that the 8.x branch is still supported and receives security updates.

The breakdown by version is 40% Adobe Reader X or patched, 35% version 9, 14% version 8, 6% version 7, 2% version 6 and 3% older versions.

The company points out that 80% of its user base was using Adobe Reader, while Foxit was the second most popular PDF reader with 4.8%.

Despite a decline in the number of Adobe Reader exploits in the past year, the PDF reader is still commonly targeted in drive-by downloads and targeted attacks. Most web exploitation kits continue to include exploits for vulnerabilities in older versions of Adobe Reader.

"There is a basic assumption that people will automatically update or migrate to the newer version of any program. At least with Adobe Reader, this assumption is wrong – and it’s exposing users to a wide range of potential threats," said Ondrej Vlcek, CTO at AVAST Software.

Back in March when we interviewed Mr. Vlcek he said the company is considering including an automatic updating component for commonly attacked software in future versions of its antivirus. This analysis might be part of its process of determining how useful would such a feature would be.

Brad Arking, Adobe's senior director of product security and privacy, agrees with AVAST's estimation. "We find that most consumers don’t bother updating a free app such as Adobe Reader as PDF files can be viewed in the older version. In many cases, users only update when provisioning a new machine," he said.

Adobe made improvements to its Adobe Reader updater and is considering silent updates for the future. The product's latest version, X (10.0), contains sandboxing technology which protects users from exploits even if the vulnerabilities are not yet patched.