Six out of every ten users of Adobe Reader are running unpatched versions of the software, leaving them vulnerable to a variety of malware attacks, according to researchers at security firm Avast.
The researchers found that 20% of users have an unpatched version of Adobe Reader that is at least two generations old.
Adobe Reader is the most popular PDF reader and is consequently the biggest target for malware, according to Avast, with 80% of Avast users running a version of Adobe Reader.
"There is a basic assumption that people will automatically update or migrate to the newer version of any program, but with Adobe Reader, at least, this assumption is wrong, and it is exposing users to a wide range of potential threats," said Ondrej Vlcek, chief technology officer at Avast.
Brad Arkin, senior director of product security and privacy at Adobe, said most consumers do not bother updating a free app such as Adobe Reader as PDF files can be viewed in the older versions, but corporate users generally have a better track record.
Malware PDF exploit packages will typically look for a variety of security weaknesses in the targeted computer, attacking when a vulnerability is discovered, with most exploits made to hit all vulnerable versions, not just one, said Vlcek.
"Libraries of code are shared between various Adobe versions, which also means that vulnerabilities are shared," he said.
Updates are the key security issue because the Avast researchers did not find a causal link between specific versions of Adobe Reader and exposure to malware.
Keeping secure for older versions of Adobe Reader does require some user attention, said Arkin, but it easy to stay fully patched with versions 8 or 9 by simply accepting the update notification, which a large percentage of users fail to do.
He said all users should update to Adobe Reader X with Protected View that uses sandboxing technology to prevent computer systems from malicious code.
"Our hope is that with the automatic update and the latest Adobe Reader X offering, we will see a measurable improvement on these statistics. We are really eager to get more users updated to the latest, most secure versions as quickly as possible," he said.