Oracle Java the most risky software despite increase in Microsoft flaws

Versions of Apple QuickTime, Adobe Reader and VLC Media Player also rank highly on 'most exposed' list

Oracle Java is the most exposed of any piece of PC software, despite the number of reported vulnerabilities in Microsoft products increasing two-fold, according to a report by vulnerability management firm Secunia.

Secunia's PSI Country Report for Q4 explained that between January and December 2014, the number of vulnerabilities originating from Microsoft programs accounted for 47 per cent of the total, with another 47 per cent originating from third-party vendors. The remaining six per cent originated from operating systems.

The report then listed the top 10 most vulnerable programs based on risk exposure. It worked this out by multiplying the percentage of market share that the product has with the percentage of unpatched software.

In the last four quarters, Oracle Java JRE 1.7.x / 7.x was the most exposed program, followed by Apple QuickTime 7.x and Adobe Reader X 10.x. In fourth place was VLC Media Player 2.x. and in fifth was Adobe Reader XI 11.x.

Microsoft dominates the rest of the top 10, with Microsoft.NET Framework 2.x., 4.x and 3.x next up on the list, and Internet Explorer 11.x in ninth. Node.js.0.x completes the top 10.

Secunia said that if a vulnerable program remains unpatched on a PC it means the PC is vulnerable to being exploited by hackers.

"So if 43 per cent of PCs running Adobe Reader x.10.x, who have a 31 per cent market share, are unpatched, 13 per cent of all PCs are made vulnerable by that program," the report reads.

Secunia urged users to remove end-of-life programs that are no longer maintained and supported by their vendor and which therefore do not receive security updates.

The top 10 list of end-of-life programs included Adobe Flash Player (both 15.x and 11.x), Google Chrome (38.x and 37.x) and Mozilla Firefox (33.x and 32.x).