According to data culled from Secunia's free software inspector, about 28% of all detected applications are vulnerable to a known security vulnerability.
The utility, which uses a signature database to pinpoint the specific versions of all installed programs (browsers, plugins, IM and e-mail clients, media players, operating systems) on a user's computer, has conducted more than 350,000 inspections since December last year and the findings show exactly why we're in the midst of a malware epidemic.
Secunia's inspector identified about 4.9 million installed applications, and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors. Digging deeper in the data, Secunia found that Opera users were the most tardy in applying critical patches for browser vulnerabilities.
Comparing browsers and looking at Firefox, Opera and Internet Explorer, we found out that Firefox 2 is the least vulnerable, as only 5.19% of all Firefox 2 installations miss security updates, whereas 11.96% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively. These numbers are not that alarming and show that users are fairly concerned about applying relevant updates for their browsers – which naturally is one of the most exposed applications.
Secunia's data showed that 26.96% of all Winamp 5 installations miss important security updates and 33.14% of all QuickTime 7 installations are outdated.
And here's a great sign: Microsoft's Patch Tuesday update release cycle has clearly raised awareness among end users.
Most people using Windows and Microsoft products are usually aware of the monthly "Patch Tuesday" routine that Microsoft has set up, which can explain why the patch level for MS products are relatively high. These numbers also indicate that many people using Firefox and Opera are concerned about security and remember to keep their products updated.
Secunia believes the lax approach to patching application flaws like Winamp and QuickTime presents a "significant problem" because attackers can easily embed movie of music files into a Web page and trick an end user into launching a dangerous exploit. "All it takes is one unpatched Quicktime vulnerability and a provocative video title to compromise a lot of visitors," the company warned.
The operating systems, browsers, and Microsoft applications in general appear to be updated fairly regularly. But all other applications seem to be forgotten, or receive too low a priority given the severity of the issues, and the fact is that exploits are available for a great deal of them. Not to mention that corporations have much more to lose than just their credit card details; there's client lists, design blueprints, employee information, and more at stake.
Secunia also offers a corporate version of this tool for network administrators looking to find out exactly what's installed, what needs patching or which applications are out of support.