Almost all Windows users vulnerable to Flash zero-day attacksJuly 27, 2009 – 6:11 PM
More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won’t patch until Thursday, a Danish security company said today.
According to Secunia, 92% of the 900,000 users who have recently run the company’s Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.)
The most-current versions of Flash Player — 18.104.22.168 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash.
Secunia’s PSI also pegged the installed base of the current Adobe Reader 9.1.2 and Abode Acrobat 9.1.2 at 48% and 2%, respectively. Because both include an interpreter to handle Flash content embedded in PDF files, they also can be exploited. The initial attacks, in fact, were based on rigged PDFs.
Adobe has acknowledged that Flash, Reader and Acrobat contain a critical bug. Last Wednesday, it kicked its security process into high gear, promising it would deliver patches for Flash by July 30, and fixes for Reader and Acrobat by July 31.