Kaspersky Vulnerability Underscores Users’ Poor Updating Habits
Over the past year, Adobe has taken a lot of heat for vulnerabilities in its products — specifically the Flash plug-in and Adobe Reader. Now, however, there’s a fresh new round of finger-pointing in the wake of Kaspersky’s first quarter 2011 threat analysis, in which Adobe apps accounted for the top three of the ten most prevalent vulnerabilities on consumer computers.
As is the case with so many reports like this, however, the numbers don’t tell the whole story. The top vulnerability, which was in Adobe Reader, was originally posted by Adobe on September 8, 2010 — and a patch has been available since October 5, 2010. While I’m not impressed that it took a full month for Adobe to issue a critical patch, I’m less impressed that millions of users still hadn’t bothered to update by the end of this quarter — especially when the vastly superior Adode Reader X is available to replace infinitely less-secure 9.X versions.
In fact, only two of the vulnerabilities Kaspersky lists actually surfaced in Q1 2011 — one in Java and one in Flash. As for the other two Adobe listings, are we to blame the company when end users opt out of an update? In my years as a technician, I’ve seen countless systems with Adobe Reader, Flash, and Java update icons resting in the tray and periodically tossing out system notifications that an update is available. Much as I would like it to be the case, Adobe and Sun can’t make a user follow good security practices.
Should Microsoft take the blame for a flaw in OneNote which was revealed in 2007 and has long since been patched? Certainly not. Yes, vendors implementing a transparent, auto-update system like the one in Google Chrome would help, but end users also need to take responsibility for their own security.
Since Kaspersky’s list doesn’t specify the actual Adobe IDs connected with the flaws, I decided to dig a bit deeper into the report. That process was complicated by the fact that Kaspersky’s links point to the wrong vulnerabilities — and the Secunia IDs provided don’t match up either. The top vulnerability, for example, is listed as an Adobe Reader flaw. Clicking through on the link took me to a report about Axigen Mail Server and the Secunia ID (38805) points to one for Microsoft Office. Number three, a Flash vulnerability, links to Fedora update for TexMacs.
For a security vendor to call out another company’s products for security shortcomings and not bother to error-check prior to publishing is unacceptable. Such missteps show a disdainful lack of care and cast doubts upon the report’s veracity and value.
Originally published by Extremetech. Read the original story here.