MSXML, Java, and Adobe apps are the most unpatched Windows software

Secunia's quarterly report on which apps remain chronically unpatched on PCs shows Microsoft, Oracle, and Adobe have the most problematic products

Secunia has issued its third-quarter report on the state of vulnerable software in the U.S., and it's a rogues' gallery of the all-too-usual suspects.

Once again Microsoft, Adobe, and Oracle all made the list for having the most unpatched versions of their products in the wild ... but not necessarily in the ways you'd expect.

Secunia is best known for offering the Personal Software Inspector (PSI) app, which scans Windows and Android systems for known vulnerabilities in third-party products. Products that are out-of-date and have patches available are flagged for updates. Secunia then aggregates the data collected about the most commonly vulnerable products and organizes them by country.

The results can be surprising. As reported in a blog post, the most consistently unpatched component on Windows machines, for 11 straight months now, isn't Java or Flash -- although those routinely make the list. The biggest offender is Microsoft XML Core Services -- MSXML for short -- a Windows component with a history of security problems.

Why is MSXML such a security disaster? In large part because it exists in a number of different, parallel incarnations, not all of which are patched automatically. MSXML 4.0 in particular is a major source of problems, since it isn't part of Windows per se but is instead typically released with third-party software. It has to be patched manually, and few users bother to do this unless a) they're specifically aware of it or b) the software that uses it supplies the patch ... if it's even being updated at all, that is. (Worse, patches for older versions of MSXML are not being offered at all.)

Secunia's figures about MSXML are sobering: 79 percent of the PCs polled by Secunia in Q3 2013 had MSXML in some form. Fifty percent of those had an unpatched version. The combination of those two stats put MSXML in the top slot.

Microsoft gets off lucky in one respect, though: MSXML has only had two new vulnerabilities reported across the last four quarters. The big loser this time around for total number of vulnerabilities is Adobe, with a whopping 243 vulnerabilities over the past year reported in AIR 3.x, Flash Player 11.x (why after all these years is Flash still such a hotbed of problems?), and Adobe Reader 10.x. Not far behind Adobe is -- who else? -- Oracle, with 160 known vulnerabilities in Java 1.7.x and 7.x over the past year.

Oracle also takes the booby prize for having the single biggest market share of software still in use beyond its end-of-life -- specifically, Java 1.6.x/6.x. Older versions of Java are a constant source of exploits that have apparently remained both unpatched and undetected for years.

Second place on that list goes to, surprisingly, Google's Chrome 28 -- but Chrome's meticulous self-updating system means the problem is a good deal less pronounced.

The MSXML issue is another example of how Windows XP's end-of-life issues pose major security and maintenance problems. It isn't just the OS itself that's no longer being supported or updated, but applications and components written specifically for it -- like earlier and now unsupported versions of MSXML -- that are getting their plugs pulled, too.

This story, "MSXML, Java, and Adobe apps are the most unpatched Windows software," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.