We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,230 News Articles

Many browsers runs insecure plug-ins, analysis finds

Browsercheck tool dishes dirt on Java, Flash and Quicktime

Large numbers of web browsers run out of date plug-ins that render them vulnerable to security exploits, a new analysis by security management company Qualys has found.

Analysing 420,000 scans from the company's Browsercheck tool, Qualys discovered that the biggest problems lie with a handful of common plug-ins for video such as Adobe Flash, Apple Quicktime, Shockwave and Windows Media Player, plus more general utilities such as PDF Reader, and old favourite, Java.

The most vulnerable pug-in was Java, installed on 80 percent of browsers, 40 percent of which were running an out-of-date version of the software open to exploits. Adobe Reader took second spot, also installed on 80 percent of browsers, just over 30 percent of which were vulnerable.

A commonly-cited worry, Flash video, was vulnerable on a more modest 20 percent of browsers despite being present in more than 95 percent of them. Other video players such as Shockwave and Quicktime showed vulnerability levels of between 20-25 percent but were installed on only around 40 percent of browsers.

Overall, around 80 percent of browser-related security flaws now lie with plug-ins and only 20 percent with browsers, regardless of which browser was looked at.

The sheer number of common plug-ins, and the difficulty many users found in keeping them patched in a timely way, was what lay at the heart of the less-than-impressive numbers, said Qualys CTO, Wolfgang Kandek.

"The problem is that they all have their own individual updating mechanisms. It makes the problem much bigger than it needs to be," he said.

According to Kandek, the answer was to adopt the approach of Google Chrome and build some plug-in updates into the browser's own updating system. This made it more likely that the browsers would be patched, he said.

Longer term, the model adopted by emerging mobile operating systems such as Android and iOS was superior because it used a more integrated patching model.


IDG UK Sites

OnePlus Two release date rumours: Something's happening on 22 July

IDG UK Sites

13in MacBook Air review, Apple's MacBook Air 2014 reviewed

IDG UK Sites

5 reasons to buy an electric car and 5 reasons not to

IDG UK Sites

Evernote Skitch: the best way for creatives to doodle feedback