04. December 2013

Adobe & Java Make Windows Insecure

A long-term examination carried out by AV-TEST has proven that Adobe’s Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware. Such weaknesses enable Trojans and other forms of malware to invade PC systems, in some cases in an unstoppable manner.

The top 10 list of the most frequently infected file types

The PDF format is most frequently used as a malware transporter for vulnerabilities. In many applications the ZIP format is used to store data. Microsoft Office also saves documents and tables in a ZIP format, however the respective use of file extensions such as .DOCX or .XLSX does not necessarily mean that users are aware of this fact.


Experts have therefore been advising users to constantly keep their Adobe Reader up-to-date for quite some time in order to prevent the program from becoming a dangerous gateway that malware can use to work its way onto Windows systems. The long-term examination carried out by AV-TEST, which took place over a period of more than ten years, not only confirms this expert advice, but also clearly shows that Adobe Reader, Adobe Flash and Java are together responsible for two thirds of the vulnerabilities in Windows systems exploited by malware. Users who rarely update their software and use insufficient security software have virtually no chance when faced with specially prepared malware.

The ranking of insecure software according to the number of known exploit versions

A large number of vulnerabilities meant that Java, Adobe Reader and Flash were responsible for 66 percent of the exploit versions recorded between 2000 and 2013. Although other groups were also recorded, they are not presented in the ranking shown above.

zoom ico
How Exploits Attack Software Vulnerabilities

1. During a user’s visit to a website, the site in question attempts to access the version number of the user’s software, for example Adobe Reader, in the background. Users can prevent the attack at this early stage by using secure protection software.
2. If a user's PC is poorly protected, however, the server sends the exploit that corresponds to the software version in question to the system. If the vulnerability has not been repaired before this stage, the malware is able use the weakness to sneak its way onto the system.

zoom ico


The ranking of insecure software according to the number of known exploit versions


How Exploits Attack Software Vulnerabilities

Exploits: Vulnerability Invaders

The moment they become aware of a security vulnerability in software, attackers immediately develop malware known as exploits, which are specifically designed to make use of these weaknesses. These exploits then attempt to use the vulnerability as an access point in order to invade the Windows system. Most of these attacks occur over the Internet and target the user's browser while they are surfing the net. Infected e-mails are also used as a second entrance point.

When exploits attack users' browsers, they do so with a high level of precision. Websites use the browser to access the user's system details, for example the versions of Windows, Java, Flash or other software that are currently being used. If they recognise a known susceptible version of such software, they load the corresponding exploit version and send it to attack the user’s system via drive-by download. Users who have not installed a good, secure protection software won’t even notice the exploit as it makes its way onto their system.

Java and Flash as Partners in Crime

The analysis carried out by AV-TEST on the 25 largest attacks reveals that Adobe Reader is the most susceptible software to exploit attacks with a total of nearly 37,000 different exploits recorded, immediately followed by the first version of Java with over 31,000 different types of exploit. The third program in the AV-TEST ranking is Adobe Flash, for which over 20,000 specially produced attackers were recorded.

Adding together all of the attackers that are currently threatening the different versions of Java results in an overall total of over 82,000 attackers, thus making Java the top vulnerability for exploit attacks. This is particularly alarming in consideration of the fact that the adverts produced by Java’s parent company Oracle boast that it is currently installed on 3 billion devices.

Does good security software provide protection?

So what exactly happens when users forget to update their software or an update isn't yet available for a specific vulnerability? If they are using a reliable security suite, it is highly unlikely that the vulnerability will lead to an infection because such suites feature several mechanisms that are able to detect and fend off attackers in advance.

Security suites are normally able to hinder drive-by downloads at not one, but several different stages:

1. In most cases, they identify and block the JavaScript that attempts to spy on the system in its search for vulnerable software. If the JavaScript is unable to access this information, the attack either fails completely or the website attempts to send an exploit into the system without having identified a suitable target.

2. The next stage of prevention is the detection of the actual exploit itself during the download. Exploits are often sent in the form of Java JAR, Flash or PDF files depending on the attack scenario in question. Even if a security suite does not immediately detect an attacker, it is still able to analyse the file in the cloud and categorise it accordingly.

3. If the first infected file does indeed succeed in making its way onto the system, it then attempts to load the actual malware and install it on the computer in the form of an EXE file. In this case, the security suite uses other mechanisms such as the on-access detection, behavioural detection or, at a later point in time, on-demand detection of the malware once it has been installed.

Windows as a Battlefield

Windows systems are also constantly on the attackers’ hit list. In its top-25 list of exploits, for example, AV-TEST includes a multitude of image formats that are specifically targeted for attacks on Windows systems, for example Windows’ own WMF format or .ANI and .JPG images. These image formats are joined by ActiveX, the Windows Help Center and Internet Explorer, which exhibit vulnerabilities susceptible to attacks by special exploit versions time and time again.

Microsoft therefore also constantly sends new system updates in its attempt to patch up these weaknesses. Although these updates are currently still being sent to Windows 7, 8 and XP on a regular basis, this will change in April 2014 when Microsoft completely stops its support updates for Windows XP, thus leaving the attackers free to run riot on XP systems. The only protection solution remaining for XP users from April 2014 onwards is to install a good security suite!

Mac Users: A New Target

The fact that Java and Flash now also work on Mac computers (although not on iPads) means that exploit attackers now have access to yet another new group of rewarding targets.

Evidence of this new risk was already provided back in 2012 in the form of the Flashback Trojan for Mac OS X, which exploited a security vulnerability in Java in order to link systems to the Mac OS X Flashback (or Flashfake) botnet. This botnet was subsequently able to quickly recruit over 600,000 computers to carry out its commands.

Alternatives and Solutions

When it comes to Adobe Reader, there is a quick and easy way to reduce the risks, namely to install another type of software in order to display PDFs on your system. There are plenty of free programs available to fulfil this purpose, for example:

PDF-XChange Viewer

Sumatra PDF

The most recent versions of the Firefox browser are also able to open PDF files, although the quality of the display is not always perfect.

Mozilla Is Developing an Alternative to Flash

When it comes to Flash and Java, the exploit problem is more complicated because there are currently no direct alternatives to these additional software options for browsers. A potential second option is, however, currently on the horizon, albeit only for Flash: Mozilla is now supporting the open-source project "Shumway", which is in the process of developing an HTML5 Flash player. This player aims to enable Firefox to display Flash content without actually using the Flash Player itself. Shumway converts Flash content into HTML5 code, which Firefox is then able to display. If you would like to try out the Shumway solution for yourself, you can find it as a Firefox extension together with a number of games at mozilla.github.io/shumway.

The Java Risk Remains

Despite the development of a potential Flash solution, the Java problem still remains unsolved. After all, surfing the web without Java and/or JavaScript is virtually impossible given that practically every website uses Java or JavaScript in some way in order to display images, videos or interactive content.

The only way to protect your system against Java-based attacks is to use a good security suite. In order to help you to choose a security suite that provides good protection, AV-TEST constantly publishes the results of its tests for free on its website at www.av-test.org/en/tests/home-user.

If you would like to know how different security programs perform in an endurance test, you should definitely read the AV-TEST article entitled “The Best Internet Security Suites for Windows Complete an Endurance Test Lasting 6 Months”.
the best internet security suites for windows complete an endurance test lasting 6 months

Social Media

We want to stay in touch with you! Now there is an easy way to receive regular updates on the latest news and test releases.