An analysis of how quickly different browser users patch Adobe Flash vulnerabilities shows a marked variation among browser makers. The data suggest that Google Chrome and Mozilla Firefox users tend to get Flash updates relatively quickly, while many users on Microsoft’s Internet Explorer browser consistently lag behind.
The information comes from ThreatMetrix, a company that helps retailers and financial institutions detect and block patterns of online fraud. ThreatMetrix Chief Technology Officer Andreas Baumhof looked back over the past five months across 10,000+ sites the company serves, to see how quickly visitors were updating to the latest versions of Flash.
Baumhof measured the rates of update adoption for these six Flash patches:
Jan 14, 2014 – APSB14-02 Security updates available for Adobe Flash Player (2 critical vulnerabilities)
Feb 4, 2014 – APSB14-04 Security updates available for Adobe Flash Player (2 critical flaws, including 1 zero-day)
Feb 20, 2014 – APSB14-07 Security updates available for Adobe Flash Player (1 zero-day)
Mar 11, 2014 – APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)
Apr 8, 2014, – APSB14-09 Security updates available for Adobe Flash Player (4 critical vulnerabilities)
Apr 28, 2014 – APSB14-13 Security updates available for Adobe Flash Player (1 zero-day)
Overall, Google Chrome users were protected the fastest. According to Baumhof, Chrome usually takes just a few days to push the latest update out to 90 percent of users. Chrome pioneered auto-updates for Flash several years ago, with Firefox and newer versions of IE both following suit in recent years.
Interestingly, the data show that IE users tend to receive updates at a considerably slower clip (although there are a few times in which IE surpasses Firefox users in adoption of the latest Flash updates). This probably has to do with the way Flash is updated on IE, and the legacy versions of IE that are still out there. Flash seems to have more of a seamless auto-update process on IE 10 and 11 on Windows 8 and above, and more of a manual one on earlier versions of the browser and operating system.
Another explanation for IE’s performance here is that it is commonly used in business environments, which tend to take a few days at least to test patches before rolling them out in a coordinated fashion across the enterprise along with the rest of the Patch Tuesday updates.
The following graphic depicts Flash patch adoption by IE version for Period #4 in the image above (Mar 11, 2014 – APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)):
“In the period 4 you can see that IE11 is nicely up to 90% – which is in line with Chrome, but obviously the older the browser version, the less updated Flash is,” Baumhof said.
It’s unclear what might explain the apparent slow uptake of Flash patches for IE and Firefox users following the January and early April Flash updates. It’s worth noting, however, that the Flash patches which saw the fastest uptake regardless of browser type included fixes for zero-day vulnerabilities (see periods 2, 3 and 6 in the first graphic above).
While Chrome appears to have the speediest update process for Flash patches (the company frequently pushes Flash updates out even before Adobe releases them publicly), it’s important to remember that applying any auto-pushed Flash patches in Chrome requires a restart of the browser.
“I use Chrome and I typically never close my browser as I always just hibernate my computer,” Baumhof said. “I noticed that it took me almost seven days to apply a Flash update because Chrome could only do this when you restart the browser, and I simply wasn’t aware of it.”
Flash is a buggy security risk, but a great many Web sites simply won’t work or display certain content without the Flash plugin installed. As such, I’ve urged readers to take advantage of Click-to-Play, which blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash content inside of them.
My first thought was that this was going to be a big part the user base and less the browser. Corporations yes, but somewhat less sophisticated users are likely to be a bigger portion of the mix for the default browser on Windows.
Remote measurement of browsers is likely to be a little sketchy. Take share. I have four browsers on my computer and use some more than others, depending on the application.
This article would have been even more useful if the manual and/or automatic Flash update initial availability had been compared between browsers, to include appropriate Operating System corresponding information. This would show what a user could do to stay current on Flash, as opposed to what is actually done in the field for various reasons. For example, the current Chrome browser usually but not always lags the available current Chrome beta browser for Windows. However, on least on two occasions the Chrome beta Flash level was behind Chrome by four days. I assume this happens as Google feels the Chrome beta update has a schedule of its own, independent of the importance of the seriousness of the available Flash update. This might be due to more complex Flash update testing with beta code.
Why no mention of Safari users? Obviously this doesn’t affect iPhone/iPad users because ios doesn’t allow Flash but the Mac version of Safari does.
My Apple updates are acting weard agsin the Google Maps
will not compleat on my Ipad Retna
Whats going on now Apple ?
On top of click-to-play, I also use the “Click to Play per-element” addon to combat Firefox’s new, risky, annoying, unpopular behavior of automatically whitelisting the entire site instead of just enabling the single flash instance you clicked.
Our enterprise (35,000+ machines) only pushes out Microsoft’s updates relatively quickly after Black Tuesdays, and IE8 is our corporate-standard browser (though I also use other browsers). A couple days ago after the latest Flash update was released, I took a straw poll of users in our department, and they uniformly had Flash Player 12.0.0.44 (the February 4 update). I update my own PCs manually when I receive the helpful notices from Krebs on Security, but I usually check the Adobe Web site when the Black Tuesday notice from Microsoft arrives.
The situation with Java Runtime, which Mr. Krebs has discussed at length, is even worse. Because of mission-critical enterprise Web apps, we are marooned on Java 6, and I have seen the occasional machine which is still running Java 1.5. Fortunately, Java is not as widely distributed here as Flash.
I believe this has been mentioned here before, but I think it bears repeating. Firefox has an add-in called QuickJava, which allows you to only show Java, Flash, Silverlight and several other types of media sources on demand only. All sources specified by the user are disabled by default, and in their places on webpages are buttons to click if you’d like to see the content they’re placeholding. This virtually removes all need to be up-to-date on these plug-ins as a security precaution, assuming that the user can accurately guess which buttons are safe to click on and enable the content. I generally only update Flash and Java if some website needs the latest version to operate correctly, and it’s getting to be over a decade now since I last saw any sign of malware in my Windows XP. (Granted, I do more than simply rely on this one add-in.) Quick Java also eliminates the drive by type of web malware infestation that can zing you just by navigating to a webpage, again assuming that the user won’t click on an ad or anything else just for the heck of it and is careful about anything he or she does click on.
Of course QuickJava will be of little use to click-happy people who don’t have a care in the world when they’re on the internet, but I truly doubt there’s any real hope or help for them.
As a QuickJava fan for years now, I’ve done away with the extension. Firefox implements click-to-play now, and is more seamless, at least if you don’t mind reading banner bars across the top informing you of the content that was blocked.
Just go into the Add-Ons area, Plugins, and switch all plugins to Ask to activate. The Firefox method has the advantage of supporting all plugins, not just a few specific ones like QuickJava.
Thanks for the tip!
FlashBlock add-on does the same for FireFox. Great tool.
I too, would like to know where Apple sits on this issue of browser updates. Especially considering the market share the iphone has. I know that Flash is not an issue but just the whole issue of patches and browser updates.
I think the internet users are real getting fed up with all the updates on Microsoft machines and moving to either Mac’s or Android based tablets.
Brian Krebs wrote, “…business environments, which tend to take a few days at least to test patches before rolling them out in a coordinated fashion across the enterprise along with the rest of the Patch Tuesday updates.”
Brian — Do you counsel your clients to postpone a few days before implementing updates while the rest of the world figures out whether or not there’s anything defective in the patches? If you do, does this precaution apply to the Flash and Java updates as well as the Microsoft updates?
When it comes to Microsoft patches that have to be deployed across multiple systems in an enterprise, yeah, I would test them first.
If we’re talking about what is essentially a browser plugin update, I’d take care of that right away. That’s why Microsoft has update guidance about which patches to push out right away and which ones can more safely be left for testing before applying. The update mechanisms that Microsoft provides to enterprises makes is fairly simple to apply some updates and not others right away.
How many hours do you use for testing patch for windows and update for plug-in? How do you check? I normally just check by browse 2-3 websites
Thanks for the guidance, Brian. Due to a shortage of spare machines on which to “test” Microsoft’s handiwork, I think I’ll maintain my bet-hedging practice of NOT installing any Microsoft patches on the day they come out.
As readers of my previous comments on your blog have seen before (e.g., http://krebsonsecurity.com/2014/05/microsoft-issues-fix-for-ie-zero-day-includes-xp-users/comment-page-2/#comment-247962), I have little patience nor understanding for Microsoft’s consistently poor track record in quality control of its OS and browser patches. Just earlier this month, they goofed the install of security updates 2964358 / 2929437 on Windows 7 / IE 11 systems, as commenter “Dean” could attest.
BTW, earlier this month you wrote, “This month’s batch also includes a .NET fix, which in my experience is best installed separately.” Do you know if .NET updates will be available to XP users, or has that support been discontinued, too?
Man, flash flash flash flash flash all my exploits.
Flash should just get out of the browser like Java and just run trusted flash movies (swf)
I’ve got Group Policy set to silently update Flash on PCs on our network. I couldn’t figure out why it wasn’t working from 12.x to the 13.0.x release recently. Eventually I found a comment on a forum that Adobe delay “major” version updates via auto-updates for ~30 days (IIRC).
Adobe Flash, on Windows at least, has a tolerably useless automatic update system. Reliable and timely it is not.
Don’t forget that Adobe Shockwave provides its own Flash runtime, and the latest Shockwave version has *none* of the above fixes. http://www.kb.cert.org/vuls/id/323161
“Flash seems to have more of a seamless auto-update process on IE 10 and 11 on Windows 8 and above”
Flash is basically integrated into Windows 8, and so updates come from Windows Update. This, of course, has it’s own advantages and disadvantages.
I think there’s also a TON to be said about how Adobe Flash (and Java) go about updating. More and more often, users are being forced to go to the Adobe website to download Flash updates, rather than updating through the program itself.
So people just don’t bother to make that effort (much less unclick boxes to keep bundled software from installing).
VDI is the way to go. We’re moving to Citrix-based Virtual Desktop for all user Internet access.
Internal user PCs will not have any plugins or “extras” that our internal apps don’t require. Internal user PCs will get 3rd-party patches quarterly, that’s it. We’re just too tired of the rat race always trying to patch.
The advantage with a VDI solution is you just patch your VDI servers and then your done. All external access is now “safe” as it can be. Furthermore, our VDI server farm for this is in a DMZ, so even if compromised it can only access a shared “drop box” location for users to download/upload files between this VDI DMZ and their Internal PCs.
I have a sneaking suspicion that the slow uptake on that particular release of Flash was due to update fatigue. Individuals updated their version of Flash, but when Adobe released a new version a few days later, they didn’t update to that version.
Another wrinkle in slow uptake is Adobe’s auto-update method which frequently delays updates by a week or more. If multiple updates are skipped (for example, if a system was shut down before leaving on a long trip), then occasionally Flash will refuse to auto-update and forces users to manually update (so they’ll get prompted to install that Ask.com/McAfee/etc. ridiculous payload that Adobe generates revenue from).
GNU/Linux desktop distro update managers keep both Flash Player and Java (OpenJDK JRE) up-to-date provided that the users apply the updates in a timely manner.
I would love to see a comparison amongst various OS defaults, Windows/Internet Explorer, OS X/Safari and GNU/Linux/Firefox. Windows 8 taking responsibility for updating IE 10 and 11 Flash Player is a blessing if one uses Flash Player and a curse (think of Flash Player zero-days) if one does not. Ditto for Linux Mint and other Linux distros that default with Flash Player.
Since when did Firefox have an auto-update for Flash? I still have to do it manually.