Last week I blogged about the CVE-2011-2110 Adobe Flash vulnerability being actively exploited in the wild. Adobe released its patch exactly a week ago (Tuesday, June 14) ... I wanted to do a follow up to identify the patch rate within our enterprise customers.Within our last "State of the Web" quarterly report - we identified that only 4.5% of our customers running Flash were running an outdated, vulnerable version. (Java was the most out of date with 51.32% - good reason why this has become a favorite client-side application for attackers to exploit). Running the numbers for the week prior to and the week following the patch shows:
Week prior to CVE-2011-2110 patch:
About 93.43% of clients accessing the web through our cloud during this period had Flash installed. Of the clients that had Flash installed, 7.88% were running an out of date / vulnerable version.
Week following CVE-2011-2110 patch:
About 94.19% of the clients accessing the web through our cloud during this period had Flash installed. Of the clients that had Flash installed, 10.15% were running an out of date / vulnerable version - about a 28.81% percentage increase of vulnerable Flash instances. The overall vulnerable percentage rate is also more than double the rate that we noticed for Q1 2011 - showing that client-side application patching within the enterprise remains a problem. This is in spite of Adobe's auto-updating feature - which still requires action from the weakest-link (the user). "Windows users and users of Adobe Flash Player 10.3.181.16 or later for Macintosh can install the update via the auto-update mechanism within the product when prompted."
Posts
2 comments:
I am not quite sure I understand your statistics.
Are you saying that prior to the latest release you had X% of your customers running an out-of-date version, and after there was another update, you have X+Y% customers, presumably all of those who were running out-of-date didn't update, and most of the ones who *were* up-to-date, are no longer?
That seems what one would expect.
I originally thought you were saying that it was a different crowd of people visiting your website, but I think you are talking about your customers, so presumably the same block of people.
Jon, you're correct in your statement - in each case it is the same block of people. Roughly 7.88% of those running flash prior to the patch were out of date; after the patch was released it increased to 10.15%. This 2.27% increase (X+Y%) is a 28.81% percentage increase in those running out of date flash. I calculated this by: ((10.15 - 7.88) / 7.88) * 100.
Thanks!
Post a Comment