Zero Day

Ryan Naraine and Dancho Danchev

Secunia: Average insecure program per PC rate remains high

By Dancho Danchev | June 25, 2009, 11:21am PDT

Summary: With the time frame for an exploit to become an inseparable part of a web malware exploitation kit shrinking, and with the average Internet user’s over-confidence in an antivirus scanner’s ability to detect and block exploits (Secunia: popular security suites failing to block exploits) it shouldn’t come as a surprise that Secunia’s recently released WorldMap [...]

With the time frame for an exploit to become an inseparable part of a web malware exploitation kit shrinking, and with the average Internet user’s over-confidence in an antivirus scanner’s ability to detect and block exploits (Secunia: popular security suites failing to block exploits) it shouldn’t come as a surprise that Secunia’s recently released WorldMap shows a relatively high rate for insecure programs found on a single PC.

The WorldMap of patched and unpatched PCs is released prior to an updated version of Secunia’s Personal Software Inspector, with the latest version finally filling a niche left open potentially undermining the usefulness of the handy tool in general - measuring the exploitability of cross-browser plugins such as Adobe Flash Player, QuickTime, or Sun’s Java.

Let’s take a look at some of their stats.

North America is led by Cuba with 15 insecure programs on average, and with 4 insecure programs on average, Canada and Mexico lead the U.S which has 3 insecure applications installed per PC. However, Secunia’s emphasis on the big picture points out that there are at least 2.7 billion vulnerable programs installed in the U.S alone.

Mikkel Winther comments:

The fact that US based PC users have more than 2.7 billion vulnerable programs installed are shocking! And quite frankly I am very surprised, we had an idea it would be bad, but couldn’t imagine the enormous scope of this problem. And to make things even worse, the picture formed in the US is the same all over the world. PC users need to patch! They need to patch all their vulnerable programs and they need to do so as fast as possible after the patch has been issued from the vendor. Failing to do so is playing Russian Roulette with your IT security – it is only a question about time – and luck – when your system will be compromised.

South America is led by Guadeloupe with 12 insecure programs in average, San Marino with its 11 insecure programs on average leads Europe, and Yemen with 12 insecure programs on average tops Asia’s chart. These results should be considered as very conservative, with the real data itself much more disturbing if only all the Internet users in these countries were running the PSI.

Despite the fact that according to Secunia’s WorldMap there are countries like Burkina Faso with 20 insecure programs per PC, or Cuba with 15, it only takes a single unpatched application or a browser plugin in order for the cybercriminal to successfully exploit the host on-the-fly through a mix of popular exploits (Cybercriminals release Christmas themed web malware exploitation kit) embedded within a particular kit.

Prior to the official announcement of PSI 1.5, Secunia stated that “patching is more important than having an Anti-Virus program and a personal firewall.”

What do you think? Talkback.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Guy Kawasaki's Twitter account hijacked, pushes Windows and Mac malware

Michael Jackson's death themed malware campaigns spreading

Topics

PC, Secunia, Desktops, Viruses And Worms, Security, Hardware, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Full Bio
Disclosure
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Talkback Most Recent of 20 Talkback(s)

Follow via:: RSS; Email Alert

Generalizations are always bad

I see Secunia quoted as saying "Failing to do so is playing Russian Roulette with your IT security ? it is only a question about time ? and luck ? when your system will be compromised."

Yes, patching is an important part of a defense-in-depth strategy, but considering the "stopping power" of certain mitigations, such as a disallowed-by-default Software Restriction Policy combined with a low-rights user account, they're getting a little carried away with the sweeping generalizations. Dramatic, but not accurate.
mechBgon
25th Jun 2009
- Reply to
- Flag
Low-rights user accounts will not work

Too many people would need to keep on punching in a password to install things, which they do not wish to do.

No, what we need is something like UAC, that makes you CONFIRM that you wish something to install.

Really, every piece of software on a consumer PC should be automatic updated, there is no reason to have the customer have to click on something and then say "Search for update!" anymore.
Lerianis2
25th Jun 2009
- Reply to
- Flag
Low-rights accounts worked well for me

As a systems administrator at a non-profit agency, I gave all employees low-rights user accounts. It worked quite well for us. The employees had no business attempting to install software, so the fact that it would've required a password was a case of "no harm, no foul."

As for home/SOHO users, I support a few of them on an informal basis. The ones I'm supporting seldom install software. They use what they've got. I get them set up with an Admin and non-Admin account, tell them to use the non-Admin account except when they need Admin powers to install/remove software or hardware, and they seem to be able to handle that. There's some stupidly-made software that presumes Admin rights and won't work correctly without them, but it's going to get rare quickly as Vista and Win7 put pressure on the software developers to get with the program (haha).

I agree that it would be great for all consumer software to keep itself up-to-date by default, particularly for a person who normally uses a low-rights account.
mechBgon
25th Jun 2009
- Flag
This is where Linux wins big time

If you restrict yourself to only installing things from reputable repositories, Linux users get updates for all programs through 1 interface. For that reason, I believe Linux is the only one that would do relatively well were it ever to get 90% marketshare. As the last couple PWN2OWNs have shown, with the exception of OS X, hackers were not able to break in using a default, out of the box install of the OS.

Unfortunately, I don't believe this could be an option for Windows just because of its proprietary nature.

I should add that there is one thing to be aware of, you will have multiple patches waiting for you every single day. If people felt that patching once a month was a chore, this will be like torture!! Personally, I never found it to be a burden.
NonZealot
25th Jun 2009
- Reply to
- Flag
You can control *when* patching occurs

But in reality it's not that bad.

I'm on Ubuntu 9.04 and the patches come along every few days, sometimes once a week and only take a few minutes time and besides they run in the background so as to not interfere.
Dietrich T. Schmitz
25th Jun 2009
- Reply to
- Flag
That just gives me a 'warm and comfy' feeling about Windows...

...NOT!

Thank heavens for Ubuntu 9.04 Linux!
Dietrich T. Schmitz
25th Jun 2009
- Reply to
- Flag
Look up Vista security features...

when you get a chance, it has all the security features of the competition and probably a bit more, but don't let facts interrupt a good mindless anti-windows troll...
jamesrayg
25th Jun 2009
- Reply to
- Flag
And if Ubuntu actually became a SERIOUS OS...

Bt I doubt that will ever happen!! It s afterall the "Linux for dummies", being as inconfigurable as OS X!!

A simple point of fact is that whichever OS is dominant, or most popular, that will ALWAYS be the target for most viruses. In other words, if say Ubuntu became a serious player in the OS world, you'd be seeing a lot of viruses targeting it. And considering most Linux distros are open source, it would be a damn easy process for a malware writer to examine the basecode for potential vulnerabilities.
kaninelupus
27th Jun 2009
- Reply to
- Flag
Ubuntu is already a serious contender

Ubuntu is already a serious contender. Most people just don't see it because it doesn't involve massive sums of money or they have a vendetta against another other operating system other than the one they personally use. You get as much support and flexibility from the OS as you do from both Apple and Microsoft.

Dell and HP have seen its potential and are already firing it out on their systems AND people are buying it.
waynemeat
27th Jun 2009
- Flag
Anyone see the major flaw in this survey ?

Your average punter in the street has no clue as to what secunia is, it is the more savvy computer user that will most likely use this software so I suspect that actual incidence of insecure programs is much higher.
Alan Smithie
25th Jun 2009
- Reply to
- Flag
Ecosystem Improvement

Discussion around the unbundling of IE in Europe on W7 gave me an idea to improve the lot of the 'average user' and the ecosystem thereby.

Suppose that Secunia's PSI was modified slightly to suggest and support the installation of a basic set of applications for a new PC. Offering say:

IE, Chrome, Safari, Opera, Firefox
AVG, MSE, ...
Flash
Silverlight
JRE
Acrobat Redaer, Foxit, ...

You know - the usual suspects - and not much more to keep it simple.

So when you first boot up your new PC, PSI offers to install the basic applications of your choice (note YOUR choice). Not only does this guide the average user ... it leaves PSI running in the background to prod him about application updates (switching off prodding can of course be selected).

In other words M$ Update and PSI complement each other to keep systems current.
johnfenjackson@...
26th Jun 2009
- Reply to
- Flag
Hardening a system is more important than patching & AV

Hardening a system (disabling unnecessary processes, PROPERLY configuring the firewall for inbound & outbound, etc) is more important than patching (you don't need to patch the server service if it isn't there)... least important is AV. Most important is user education.

A properly hardened system with a user who is aware of how to safely use the computer is by far the best scenario.
s_southern
26th Jun 2009
- Reply to
- Flag
Hardening = moat, Unpatched 3rd party app = open draw bridge

Your hardened OS is going down if you don't secure the applications that run on top of it.
ejhonda
13th Aug 2009
- Reply to
- Flag
Secunia makes a great product: OSI & PSI

It's getting people to use it that's the issue, or more importantly getting people to follow up on the PSI results and update the 3rd party software PSI tags as needing updating.
ejhonda
26th Jun 2009
- Reply to
- Flag
Guadeloupe in South America?

I had thought it was an overseas French department in the Caribbean. I have seen geographers place the Caribbean as part of Central America, or sometimes as a geographic region of its own, but this is the first time I see it referred to as part of South America. Maybe because if you look it up on a map (or Google Earth), the islands are most definitely to the north of South America and don't fit in it even with a lot of good will.

It seems some guys at Secunia (and maybe at ZDnet) have missed some Geography classes at school...

This talkback post was brought to you from Brazil, which most definitely IS indeed in South America!
goyta
26th Jun 2009
- Reply to
- Flag