<%image(20080415-exploit_hat.jpg|112|107|Put your exploit hat on!)%>.
90% of all Windows machines are vulnerable to Adobe Flash vulnerabilities…(not really breaking news by any means for security professionals, right?). But for the average home user I certainly hope it is. You see articles all the time talking about the latest client-side vulnerabilities and usually they are just talking about one specific vulnerability. What about all the other client-side software that users fail to either patch or keep up-to-date. Shall I give you examples besides Adobe Flash? How’s this for starters?
The scary thing is that the “average” user really has no clue on why this software should be updated and patched- even when they are prompted by the application to “Update me now!”. Most users will just click “cancel” and go about their business…and if their business includes checking their email, lets not hope there is a malicious PDF waiting for them in their inbox…or a link taking them to the latest Excel exploit. This is currently the most popular attack vector right now and until either applications get smarter about how they update themselves, programmers learn secure coding practices, and users become security aware, these types of attacks will “keep on coming”. Oh, and don’t forget about 0day vulnerabilities like the ones discovered in the pwn to own contest at CanSecWest.