Many browsers run insecure plug-ins, analysis finds

Large numbers of web browsers run out of date plug-ins that render them vulnerable to security exploits, a new analysis by security management company Qualys has found.

Analysing 420,000 scans from the company’s Browsercheck tool, Qualys discovered that the biggest problems lie with a handful of common plug-ins for video such as Adobe Flash, Apple Quicktime, Shockwave and Windows Media Player, plus more general utilities such as PDF Reader, and old favourite, Java.

The most vulnerable pug-in was Java, installed on 80 percent of browsers, 40 percent of which were running an out-of-date version of the software open to exploits. Adobe Reader took second spot, also installed on 80 percent of browsers, just over 30 percent of which were vulnerable.

A commonly-cited worry, Flash video, was vulnerable on a more modest 20 percent of browsers despite being present in more than 95 percent of them. Other video players such as Shockwave and Quicktime showed vulnerability levels of between 20-25 percent but were installed on only around 40 percent of browsers.

Overall, around 80 percent of browser-related security flaws now lie with plug-ins and only 20 percent with browsers, regardless of which browser was looked at.

The sheer number of common plug-ins, and the difficulty many users found in keeping them patched in a timely way, was what lay at the heart of the less-than-impressive numbers, said Qualys CTO, Wolfgang Kandek.

“The problem is that they all have their own individual updating mechanisms. It makes the problem much bigger than it needs to be,” he said.

According to Kandek, the answer was to adopt the approach of Google Chrome and build some plug-in updates into the browser’s own updating system. This made it more likely that the browsers would be patched, he said.

Longer term, the model adopted by emerging mobile operating systems such as Android and iOS was superior because it used a more integrated patching model.