RSA: Java is the Most Vulnerable Browser Plug-in
New study from Qualys using months of data from browser checking service identifies the most vulnerable browser plug-ins.
Are your browser plug-ins up-to-date?
In a session at the RSA conference in San Francisco, Qualys CTO Wolfgang Kandek revealed that many browser users don't have updated plug-ins. Kandek's data was derived from over 200,000 browser visits to the Qualys BrowserCheck service between July of 2010 and January of 2011. BrowserCheck checks user's browser to see if they're running up-to-date plug-ins.
According to Qualys' data, 42 percent of users were running vulnerable out-of-date Java plug-ins. Adobe's Reader was in second at 32 percent followed by Apple QuickTime at 25 percent. Adobe Flash came in fourth at 24 percent.
Qualys isn't the first vendor to call out Java as the most vulnerable plug-in. A study earlier this year from Cisco also put Java in the top spot. As to why Java is most vulnerable plug-in and isn't being updated by users, Kandek noted that it's due to a lack of awareness.
"The exposure is just not there, for me Oracle Java is just another piece of software and there is no particular attention being paid to the necessity of rolling out the updates," Kandek told InternetNews.com. "I think that is different for Adobe where they are really active, but I haven't seen the same thing from Oracle around Java."
Oracle just updated Java again this week with a 21 patch update.
The Qualys data was measured across multiple browsers that used the BrowserCheck service. The most popular browser used was IE 8 at 37 percent with Firefox 3.6 coming it at 26 percent and Chrome coming in at 13 percent.
What's interesting to note is that the Mozilla Firefox 3.6 browser includes its own plug-in checking service which is intended to help users identify out-of-date plug-ins.
There is however a catch. Qualys' BrowserCheck does not currently have an automated system to remind users that it's time to check their plug-ins. Kandek noted that Qualys has given that problem some thought, with different potential options including a background scanning feature.
"We see the problem now of getting people to actively remember to visit the page," Kandek said. "For me on my machine, BrowserCheck is my homepage so whenever I start my browser, I check plug-ins automatically."
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.