Unpatched, vulnerable PDF readers leave users open to attack

Unpatched, vulnerable PDF readers are a big security issue for private PC users, according to Secunia. 14% of PC users in the US (up from 12.9% last quarter) have an unpatched operating system, and that Oracle Java yet again tops the list of applications exposing PCs to security risks.


The security of a PC is significantly affected by the number and type of applications installed on it, and the extent to which these programs are patched:

  • Adobe Reader 10 and 11 come in at number three and four on the Most Exposed List. Adobe Reader 10 with a 25% market share, 39 vulnerabilities and unpatched on 65% of PCs. Adobe Reader 11 with a 55% market share, 40 vulnerabilities and unpatched on 18% of PCs.
  • Oracle’s Java JRE 7 tops the list as the most exposed application on the US PCs. With a market share of 54%, 77% of users have not installed the latest updates, despite 101 reported vulnerabilities.
  • 1 in 20 programs on the average US PC have reached end-of-life, meaning they are no longer supported by the vendor and do not receive security updates. Adobe Flash Player is still installed on no less than 78% of the PCs.
  • Other applications in the top 10 include Apple QuickTime, Microsoft Internet Explorer and uTorrent for Windows.

Secunia’s annual Vulnerability Review published in March, identified that a total of 85% private users worldwide have a version of Adobe Reader installed on their PCs. The US report for Q1 corroborates the number.


Kasper Lindgaard, Director of Research and Security at Secunia, comments: “It is worrying that, with such a high market share, one in five US users fail to patch their Adobe PDF reader. Considering the fact that PDF documents is a prominent attack vector used by hackers to gain entry into IT systems, users put themselves and any system they are connected to at risk, by neglecting the security risk the popular reader represents when not maintained. It is paramount that users remember to patch their PDF readers, and that corporate IT teams have procedures in place to update all PDF readers on devices that are in any way connected to the company infrastructure.”

Vendors’ security updates are readily available. However, the average US user must master 27 different update mechanisms to ensure the latest patches are regularly applied.