Oracle Java, Apple QuickTime, and Adobe Reader lead the pack for the top ten most exposed software in the U.S., according to a new regional-based study of vulnerable and unpatched software deployed on PCs.

The software was ranked based on a factor comprised of two parameters, the percent of market share multiplied by the percent of unpatched instances of the software detected, even if a patch was known to be available.

The report also lists how many vulnerabilities were detected and disclosed for the software in the last four quarters, spanning from April of 2014 to March of 2015, as follows:

“If a vulnerable program remains unpatched on your PC, it means that your PC is vulnerable to being exploited by hackers,” the report noted (PDF).

“So if 65% of PCs running Adobe Reader X 10.x, who have a 25% market share, are unpatched, 17% of all PCs are made vulnerable by that program. The same PC can have several other unpatched, vulnerable programs installed.”

The report also identified the top ten programs detected on PCs for which the developer no longer supports with patch upgrades to mitigate known vulnerabilities, with older versions of Adobe Reader, Microsoft XML Core Services (MSXML), and Google Chrome topping the list:

It is important to note that the report documents the state of security among PC users in the U.S. who use the Secunia Personal Software Inspector, and that the exposure may actually be higher in the general public than these findings reflect.

“It is worrying that, with such a high market share, one in five US users fail to patch their Adobe PDF reader. Considering the fact that PDF documents are a prominent attack vector used by hackers to gain entry into IT systems, users put themselves, and any system they are connected to, at risk by neglecting the security risk the popular reader represents when not maintained,” said Kasper Lindgaard of Secunia.

“It is paramount that users remember to patch their PDF readers, and that corporate IT teams have procedures in place to update all PDF readers on devices that are in any way connected to the company infrastructure.”

This was cross-posted from the Dark Matters blog.