Most vulnerable browser plugin? Think Java, not Flash

Adobe’s Flash media plug-in for Web browsers doesn’t exactly have a stellar security record, requiring several urgent security updates to squelch zero-day exploits. However, computer security experts are now calling attention to Java, noting that many Internet users are running browsers with outdated Java implementations that contain serious security holes of their own. In a session at this year’s RSA Conference in San Francisco, Qualys CEO Walfgang Kandek unveiled data that showed that of over 200,000 browsers that visited his company’s BrowserCheck security service between July 2010 and January 2011, some 42 percent were running out-of-date Java plug-ins with known vulnerabilities. The number of people running out of date Flash plug-ins stood at 24 percent. In between came Adobe Reader at 32 percent, followed by Apple QuickTime at 25 percent.

The figures come just as Oracle has released an update to Java which patches some 21 vulnerabilities, 8 of which are considered extremely critical and some 19 of which could be exploited over a networking without valid login credentials. Oracle also issued multiple updates to Java throughout 2010 to address vulnerabilities.

Qualys isn’t the only company to single out Java as a key vulnerability in many users’ systems: in December networking giant Cisco noted (PDF) attacks on Java exceeded attacks against Adobe Reader and Acrobat during 2010, with Java some 3.5 more frequently exploited than malicious PDFs.

Qualys’s browser check system has itself been criticized for requiring users to install a browser plug-in in order to conduct its security audit. Competing services—such as the one built into Mozilla browsers—operate using Javascript.

Editors' Recommendations