I read this week that 61% of Adobe Reader installations in workplaces is out of date.
That’s very bad. Very, very bad. Because Adobe Reader is trivially easy to exploit, and there’s more sensitive information to steal on corporate PCs than there is on home PCs.
Do a little searching, and it’ll disturb you how easy it is to exploit PDF files. There are toolkits that do all the work for you. Just write up a fake resume as a PDF, plant an exploit in it, then e-mail it to every corporate address you can find. When someone opens the document, you’ve got a command prompt on their computer.
A few minutes with a book on Metasploit will enlighten you on just how much you can do with outdated software and users willing to open anything and everything they’re sent.
Most corporations block all downloads at the firewall or with a content filtering proxy. This helps keep people from installing bad-behaving software on their computers (Webshots and Weatherbug were the favorites in my day; I’m sure there are others now) and that’s important. But that means you need to do something to deploy up-to-date versions of the legitimate software.
Ivanti Patch (formerly VMware Vcenter Protect) is a good product for this. Back when it was known as Shavlik Netchk Protect, I used to spend entire workweeks at a time using it to scan hundreds of servers around the world and bring them up to date. It was extremely effective. Besides Microsoft products, it also detects and updates Adobe products, Sun/Oracle Java, and Mozilla products.
It’s expensive, but companies should look at products like this the same way they do firewalls. The data they’re protecting is valuable, so of course protecting it isn’t always cheap. It’s worth grabbing the free trial to see just how unhealthy your network is.