The main reason blackhats are targeting adobe acrobat/flash these days more than they target IE is down to market share more than anything...
While no single browser has more than 50% market share, flash and acrobat are still installed on over 90% of machines making them prime targets.
Microsoft is by no means a "security leader", they still have by far and away the most insecure os currently available (not counting intentionally insecure systems used for training like dvl)...
Windows still has some major design flaws which impact security too, the file locking design and by extension the broken patching system (patches often appear installed, even if part of the install has failed), the crude file extension determine filetype (and executability) mechanism especially combined with hiding extensions by default, the ability to authenticate using password hashes directly, the default listening services (even on a standalone workstation) plus the practice of hiding these behind a software firewall rather than turning them off..
Then you have all the bloat required to support such an ageing patchwork codebase, plus all the additional crufty ways they try to work around the old design flaws, such as the fake registry and filesystems used to trick programs that expect to be installed/used as an admin user etc..
MS are stuck with a horrendous mess of a product, and no matter how much they try to polish it it's still going to be a turd... They'll never be a security leader until they ditch all the legacy cruft and start again from scratch.
Register
Redirection of blackhat resources
The main reason blackhats are targeting adobe acrobat/flash these days more than they target IE is down to market share more than anything...
While no single browser has more than 50% market share, flash and acrobat are still installed on over 90% of machines making them prime targets.
Microsoft is by no means a "security leader", they still have by far and away the most insecure os currently available (not counting intentionally insecure systems used for training like dvl)...
Windows still has some major design flaws which impact security too, the file locking design and by extension the broken patching system (patches often appear installed, even if part of the install has failed), the crude file extension determine filetype (and executability) mechanism especially combined with hiding extensions by default, the ability to authenticate using password hashes directly, the default listening services (even on a standalone workstation) plus the practice of hiding these behind a software firewall rather than turning them off..
Then you have all the bloat required to support such an ageing patchwork codebase, plus all the additional crufty ways they try to work around the old design flaws, such as the fake registry and filesystems used to trick programs that expect to be installed/used as an admin user etc..
MS are stuck with a horrendous mess of a product, and no matter how much they try to polish it it's still going to be a turd... They'll never be a security leader until they ditch all the legacy cruft and start again from scratch.