As per Qualys’s analysis, based on BrowserCheck data, the dubious distinction of being the most vulnerable plugin belongs - surprise, surprise - to Java, and not the much more maligned Adobe Flash. While Java was found to be installed on 80 percent of the 420,000 browsers scanned by the company, the firm found that 40 percent of all Java installs were out-of-date and therefore vulnerable.
Adobe Reader is next on the list with a bit over 30 percent of all the browsers it was installed on having an outdated version. Flash Player, the most ubiquitous plugin on the list, was found to be outdated on only 20 percent of the browsers. Despite their small install base, Shockwave and Quicktime aren’t far behind when it comes to being vulnerable. They were found to be out-of-date on 20-25 percent of the browsers they were installed on.
Commenting on the cause of the problem, Qualys CTO Wolfgang Kandek perhaps hit the nail on the head when he said: “The problem is that they all have their own individual updating mechanisms. It makes the problem much bigger than it needs to be.”