Are your browser plug-ins up-to-date?

In a session at the RSA conference in San Francisco, Qualys CTO Wolfgang Kandek revealed that many browser users don't have updated plug-ins. Kandek's data was derived from over 200,000 browser visits to the Qualys BrowserCheck service between July of 2010 and January of 2011. BrowserCheck checks user's browser to see if they're running up-to-date plug-ins.

According to Qualys' data, 42 percent of users were running vulnerable out-of-date Java plug-ins. Adobe's Reader was in second at 32 percent followed by Apple QuickTime at 25 percent. Adobe Flash came in fourth at 24 percent.

Qualys isn't the first vendor to call out Java as the most vulnerable plug-in. A study earlier this year from Cisco also put Java in the top spot. As to why Java is most vulnerable plug-in and isn't being updated by users, Kandek noted that it's due to a lack of awareness.

"The exposure is just not there, for me Oracle Java is just another piece of software and there is no particular attention being paid to the necessity of rolling out the updates," Kandek told "I think that is different for Adobe where they are really active, but I haven't seen the same thing from Oracle around Java."

Oracle just updated Java again this week with a 21 patch update.

The Qualys data was measured across multiple browsers that used the BrowserCheck service. The most popular browser used was IE 8 at 37 percent with Firefox 3.6 coming it at 26 percent and Chrome coming in at 13 percent.

What's interesting to note is that the Mozilla Firefox 3.6 browser includes its own plug-in checking service which is intended to help users identify out-of-date plug-ins.

The BrowserCheck service from Qualys is the same basic concept as what Mozilla offers, thought the technical implementation is different. Kandek noted that Qualys browser check requires users to first install a Qualys plug-in and then go to the service website. Mozilla on the other hand, does not require an add-on installation and leverages JavaScript to help identify plug-ins.

"We can look deeper than what Mozilla does on the JavaScript level and we have access to more details on the machine by being a plug-in," Kandek said. "It does require people to install something, which turns off some people, but we elected to do it to get deeper information and to be able to have more checks available."

There is however a catch. Qualys' BrowserCheck does not currently have an automated system to remind users that it's time to check their plug-ins. Kandek noted that Qualys has given that problem some thought, with different potential options including a background scanning feature.

"We see the problem now of getting people to actively remember to visit the page," Kandek said. "For me on my machine, BrowserCheck is my homepage so whenever I start my browser, I check plug-ins automatically."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.