Sun Java by far the most vulnerable plug-in

Wondering how secure your browser is? Today at the RSA Conference in San Francisco, Qualys CTO Wolfgang Kandek presented their research which clearly shows that browser security is alarmingly bad.

Results show that browsers and plug-ins are frequently outdated and easily attackable. To make things worse, malware authors adapt quickly and most of their new attacks are against browser plug-ins.

Data was gathered by Qualys BrowserCheck, a tool that scans your browser looking for potential vulnerabilities and security holes in your browser and its plug-ins.

Around 200,000 people took the test in the past six months, with the top users being from the United States, Brazil and Germany. As browser popularity goes, Internet Explorer usage is big in the U.S., while Firefox dominates in Europe.

Even though browser patching is very established and user awareness is growing, the basic data shows that roughly 70% of all BrowserCheck users were using a vulnerable browser.

Detailed analysis of the data showed that only about 20% of security vulnerabilities are in the browsers and the great majority of security issues comes from the plug-ins installed in them. These plug-ins are typically not updated by the browser. Top examples are Adobe Flash and Reader, Sun Java and Windows Media Player.

While everybody knows about the hackers’ predilection for targeting Adobe Flash, data shows that Sun Java is by far the most vulnerable plug-in installed in browsers. “While Adobe has been evidently stepping up their security efforts, we still haven’t seen the same from Sun,” commented Kandek.

The simplest advice for end users would be to take a look at BrowserCheck and make sure their browsers and plug-ins are updated.

IT departments should try to follow patching cycles – it’s the least they can do in order to be safe. This naturally won’t protect them from targeted attacks, but it will at least keep those using automated tools at arm’s length.