News

Adobe Reader and Microsoft IE Top Web Security Concerns

The majority of Internet security threats come from unpatched vulnerabilities in Adobe Acrobat/Reader and Microsoft's Internet Explorer browser, according to an industry study.

Those two programs topped a list of the "15 most observed vulnerabilities" on the Web, according to M86 Security's "Security Labs Report: January-June 2010 Recap," released this week. The vulnerabilities persist even though Adobe and Microsoft have issued fixes for the flaws. Some users apparently haven't applied the patches, which date back to 2006 in one case.

Topping the list of commonly unpatched vulnerabilities is the Adobe Acrobat/Reader "CollectEmailInfo" flaw, for which a patch was issued in 2008. Next is the "deleted object event handling process" flaw in Internet Explorer, which had a patch issued this year. An "RDS ActiveX" flaw in Microsoft Internet Explorer ranks third on the list, even though a patch was issued in 2006.

All told, according to report, Microsoft Internet Explorer constituted five of the top 15 vulnerabilities, while Adobe Reader represented four of the top 15 vulnerabilities. M86 Security's complete list of vulnerabilities can be found in the report here (PDF download).

The report, which covers the first half of this year, highlighted some trends to watch. One "worrisome development" is the rise of "advanced persistent threat" attacks that infamously targeted Google, Adobe, Juniper Networks and other companies. The Google attack is typically known as "operation aurora" and attributed to Chinese hackers using an Internet Explorer 6 flaw.

According to M86 Security's report, advanced persistent threat attacks involve a number of steps. First, the attacker searches out employee IDs to infiltrate a company's social network. Next, URLs leading to malicious Web sites are sent through the social network. When a user clicks on the link, it redirects the person's browser to a malicious Web site housing an exploit that can spread malware.

Another rising threat is a technique of code obfuscation using Adobe Flash, according to the report. The attack avoids detection by combining "JavaScript with Adobe's ActionScript scripting language." ActionScript can work with JavaScript on the parent Web page to enable two-way communications, which makes it difficult to detect the exploits.

Java-based exploits also represent a rising trend, the study found. Typically, these attacks take place when "an iFrame or JavaScript is injected into a Web page of a legitimate site that redirects the browser to a malicious Web page."

Most malicious code on the Web is hosted on compromised existing Web sites, rather than sites devised by criminals, according to the report. The United States leads as the No. 1 host country for malware at 43 percent, followed by China (14 percent) and Russia (four percent).

Spam is on the rise, despite the demise of the McColo hosting provider and botnets. Spam represents 88 percent of all inbound e-mail and has shown a 14 percent upward trend since January. Spam is mostly used to push pharmaceutical sales, particularly the "Canadian Pharmacy" brand, according to the report.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.