Microsoft Vs. Adobe security smack-down

I counted the number of vulnerabilities in Windows XP and Vista since January 2009 (from NVD), and compared that to Adobes security advisories for Flash player version 10 and Adobe Reader version 9.NOTE: I could not reliably get results from the NVD that matched Adobes publication from their website. Microsoft Windows XP: 85 Microsoft Windows Vista: 72  Adobe Reader 9: 23 (or more, some internally discovered/not reported) Adobe Flash Player 10: 17The tally begins with Microsoft at 85 and 72 and Adobe at 40.For two helper applications to have almost 50% of the reported vulnerabilities as a full-blown operating system that is approaching ten years old was a bit surprising to me.You might say many of the XP bugs have already been found, in which case you wouldnt expect the number of issues with Adobes applications to be 55% as many as Vista. In Microsofts most recent Security Intelligence Report they made quite a large issue that the vast majority of successful exploitations of Windows Vista were via third-party utilities, plugins and other tools.This may be true when specifically considering browser-based exploits, which are a large percentage of todays threat, yet it ignores the vastness of infections like Conficker. The risk of network worms like Conficker that are reported to have reached more than 10 million computers have a virility that is far more dangerous to our networks.Holes in listening network services present huge risks to users and businesses. Browser exploits certainly comprise most of the drive-by infections we see in the wild.SophosLabs have blogged many times about different exploits taking advantage of Flash Player, Adobe Reader or both throughout 2008 and 2009.Peter Szabo from our Australian lab even presented a paper on these issues at the Queensland Hi Tech Crime Symposium in Australia. Criminals taking advantage of applications and plugins that are not easily managed has been a trend that has increased dramatically in the last 24 months, and will likely continue to be a primary infection vector. I deliver a seminar around the United States called Anatomy of an Attack, and one of my primary pieces of advice to IT administrators is to reduce the threat surface (less software) and patch, patch, patch. Unfortunately for Adobe, they have been directly in the crosshairs of the enemy, and have provided fertile ground for exploitation.They are a victim of their own success, as nearly every computer attached to a network has Adobe Reader, Adobe Flash Player, or both.Adobe Flash does not include a method of managing or updating itself, and a large percentage of users are not running an up-to-date version. It was reported this week that Firefox now checks the version of Flash Player to provide a warning system if your plugin is out of date.It is great that Mozilla is raising awareness, but this only partly solves the problem. On Windows the Flash plugin for Internet Explorer is a separate install from Non-IE browsers, which mean anything using Explorer to render Flash content will still be at risk.I am afraid this will give a false sense of being fully patched.