Symantec.com > Enterprise > Security Response > Internet Security Threat Report > View the Report > Vulnerability Trends

Vulnerability Trends

Vulnerability Trends | Total Number of Vulnerabilities | Zero-Day Vulnerabilities | Notable Zero-day Attacks | Web Browser Vulnerabilities | Web Browser Plug-in Vulnerabilities | Web Attack Toolkits | SCADA Vulnerabilities

Web Browser Plug-in Vulnerabilities

Background

This metric examines the number of vulnerabilities affecting plug-ins for Web browsers. Browser plug-ins are technologies that run inside the Web browser and extend its features, such as allowing additional multimedia content from Web pages to be rendered. Although this is often run inside the browser, some vendors have started to use sandbox containers to execute plug-ins in order to limit the potential harm of vulnerabilities.
Many browsers now include various plug-ins in their default installation and, as well, provide a framework to ease the installation of additional plug-ins. Plug-ins now provide much of the expected or desired functionality of Web browsers and are often required in order to use many commercial sites. Vulnerabilities affecting these plug-ins are an increasingly favored vector for a range of client-side attacks, and the exploits targeting these vulnerabilities are commonly included in attack kits. Some plug-in technologies include automatic update mechanisms that aid in keeping software up to date, which may aid in limiting exposure to certain vulnerabilities. To help mitigate the risk, some browsers have started to check for the version of installed third party plug-ins and inform the user if there are any updates available for install.

Methodology

Web browser plug-in vulnerabilities comprise a sub-set of the total number of vulnerabilities cataloged by Symantec over the reporting period. The vulnerabilities in this section cover the entire range of possible severity ratings and include vulnerabilities that are both unconfirmed and confirmed by the vendor of the affected product. Confirmed vulnerabilities consist of security issues that the vendor has publicly acknowledged, by either releasing an advisory or otherwise making a public statement to concur that the vulnerability exists. Unconfirmed vulnerabilities are vulnerabilities that are reported by third parties, usually security researchers, which have not been publicly confirmed by the vendor. That a vulnerability is unconfirmed does not mean that the vulnerability report is not legitimate, only that the vendor has not released a public statement to confirm the existence of the vulnerability.

Data

Symantec analyzed the following plug-in technologies:
  • Adobe Reader
  • Adobe Flash Player
  • Apple QuickTime
  • Microsoft ActiveX
  • Mozilla Firefox extensions
  • Oracle Sun Java Platform Standard Edition (Java SE)
Figure D.11: Plugin Vulnerabilities in 2010 and 2011.  Source: Symantec

Commentary

  • In 2011, 308 vulnerabilities affecting browser plug-ins were documented by Symantec, a slight decrease, compared to 346 vulnerabilities affecting browser plug-ins in 2010.
  • ActiveX vulnerabilities decreased further in 2011, continuing the trend for the recent years. This may be due to the increased usage of Internet Explorer 8 which has an enhanced security features surrounding ActiveX plug-ins15 .
  • Adobe Flash and Java vulnerabilities increased both by 3 percent in 2011. This trend was already visible in 2010 and grew again. This is also reflected in the vulnerability usage in attack toolkits which have focused around Adobe Flash, Adobe PDF Reader and Java in 2011.