A prominent figure in the computing world made headlines last year for his thoughts on Flash. Simply, "Flash is evil." Of course, Flash either ran poorly on his company's products, or was completely unsupported on others. Despite any motivations or biases, he could be right over Flash being evil - if you consider the amount of critical vulnerabilities the thing attracts. In fact, Adobe's products managed to occupy five of the top ten list of PC vulnerabilities, dominating the list and beating out Microsoft which made up the list last year.
This time around, Microsoft's only entry in the list was a vulnerability in how Microsoft Office OneNote handled URIs. The other three companies were Apple with one advisory of multiple QuickTime holes, two security advisories of multiple Java vulnerabilities in the Java Runtime Environment and the Java Development Kit, and one MIDI-related vulnerability in Winamp. One observation is clear: almost all these advisories address vulnerabilities with products that interact with the Internet or hook into web browsers.
The list was compiled by Kaspersky Lab (via The Inquirer). The top ten application vulnerabilities, with the Secunia advisory ID and the percentage of computers of which the vulnerabilities were detected on, are as follows:
- SA 41340: Adobe Reader/Adobe SING "uniqueName" Buffer Overflow Vulnerability (40.78%)
- SA 41917: Adobe Flash Player Multiple Vulnerabilities (31.32%)
- SA 43267: Adobe Flash Player Multiple Vulnerabilities (24.23%)
- SA 43262: Sun Java JDK / JRE / SDK Multiple Vulnerabilities (23.71%)
- SA 41791: Sun Java JDK / JRE / SDK Multiple Vulnerabilities (21.62%)
- SA 39259: Apple QuickTime Multiple Vulnerabilities (12.16%)
- SA 39272: Winamp MIDI Timestamp Parsing Buffer Overflow Vulnerability (9.40%)
- SA 31744: Microsoft Office OneNote URI Handling Vulnerability (9.05%)
- SA 42112: Adobe Shockwave Player Multiple Vulnerabilities (8.78%)
- SA 39272: Adobe Reader / Acrobat Multiple Vulnerabilities (8.18%)