Adobe Reader and Microsoft IE Top Web Security Concerns

The majority of Internet security threats come from unpatched vulnerabilities in Adobe Acrobat/Reader and Microsoft's Internet Explorer browser, according to an industry study.

Those two programs topped a list of the "15 most observed vulnerabilities" on the Web, according to M86 Security's "Security Labs Report: January-June 2010 Recap," released this week. The vulnerabilities persist even though Adobe and Microsoft have issued fixes for the flaws. Some users apparently haven't applied the patches, which date back to 2006 in one case.

Topping the list of commonly unpatched vulnerabilities is the Adobe Acrobat/Reader "CollectEmailInfo" flaw, for which a patch was issued in 2008. Next is the "deleted object event handling process" flaw in Internet Explorer, which had a patch issued this year. An "RDS ActiveX" flaw in Microsoft Internet Explorer ranks third on the list, even though a patch was issued in 2006.

All told, according to report, Microsoft Internet Explorer constituted five of the top 15 vulnerabilities, while Adobe Reader represented four of the top 15 vulnerabilities. M86 Security's complete list of vulnerabilities can be found in the report here (PDF download).

The report, which covers the first half of this year, highlighted some trends to watch. One "worrisome development" is the rise of "advanced persistent threat" attacks that infamously targeted Google, Adobe, Juniper Networks and other companies. The Google attack is typically known as "operation aurora" and attributed to Chinese hackers using an Internet Explorer 6 flaw.

According to M86 Security's report, advanced persistent threat attacks involve a number of steps. First, the attacker searches out employee IDs to infiltrate a company's social network. Next, URLs leading to malicious Web sites are sent through the social network. When a user clicks on the link, it redirects the person's browser to a malicious Web site housing an exploit that can spread malware.

Another rising threat is a technique of code obfuscation using Adobe Flash, according to the report. The attack avoids detection by combining "JavaScript with Adobe's ActionScript scripting language." ActionScript can work with JavaScript on the parent Web page to enable two-way communications, which makes it difficult to detect the exploits.

Java-based exploits also represent a rising trend, the study found. Typically, these attacks take place when "an iFrame or JavaScript is injected into a Web page of a legitimate site that redirects the browser to a malicious Web page."

Most malicious code on the Web is hosted on compromised existing Web sites, rather than sites devised by criminals, according to the report. The United States leads as the No. 1 host country for malware at 43 percent, followed by China (14 percent) and Russia (four percent).

Spam is on the rise, despite the demise of the McColo hosting provider and botnets. Spam represents 88 percent of all inbound e-mail and has shown a 14 percent upward trend since January. Spam is mostly used to push pharmaceutical sales, particularly the "Canadian Pharmacy" brand, according to the report.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.