Secunia: Average insecure program per PC rate remains high
Summary: With the time frame for an exploit to become an inseparable part of a web malware exploitation kit shrinking, and with the average Internet user's over-confidence in an antivirus scanner's ability to detect and block exploits (Secunia: popular security suites failing to block exploits) it shouldn't come as a surprise that Secunia's recently released WorldMap shows a relatively high rate for insecure programs found on a single PC.
With the time frame for an exploit to become an inseparable part of a web malware exploitation kit shrinking, and with the average Internet user's over-confidence in an antivirus scanner's ability to detect and block exploits (Secunia: popular security suites failing to block exploits) it shouldn't come as a surprise that Secunia's recently released WorldMap shows a relatively high rate for insecure programs found on a single PC.
The WorldMap of patched and unpatched PCs is released prior to an updated version of Secunia's Personal Software Inspector, with the latest version finally filling a niche left open potentially undermining the usefulness of the handy tool in general - measuring the exploitability of cross-browser plugins such as Adobe Flash Player, QuickTime, or Sun's Java.
Let's take a look at some of their stats.
North America is led by Cuba with 15 insecure programs on average, and with 4 insecure programs on average, Canada and Mexico lead the U.S which has 3 insecure applications installed per PC. However, Secunia's emphasis on the big picture points out that there are at least 2.7 billion vulnerable programs installed in the U.S alone.
The fact that US based PC users have more than 2.7 billion vulnerable programs installed are shocking! And quite frankly I am very surprised, we had an idea it would be bad, but couldn't imagine the enormous scope of this problem. And to make things even worse, the picture formed in the US is the same all over the world. PC users need to patch! They need to patch all their vulnerable programs and they need to do so as fast as possible after the patch has been issued from the vendor. Failing to do so is playing Russian Roulette with your IT security – it is only a question about time – and luck – when your system will be compromised.
South America is led by Guadeloupe with 12 insecure programs in average, San Marino with its 11 insecure programs on average leads Europe, and Yemen with 12 insecure programs on average tops Asia's chart. These results should be considered as very conservative, with the real data itself much more disturbing if only all the Internet users in these countries were running the PSI.
Despite the fact that according to Secunia's WorldMap there are countries like Burkina Faso with 20 insecure programs per PC, or Cuba with 15, it only takes a single unpatched application or a browser plugin in order for the cybercriminal to successfully exploit the host on-the-fly through a mix of popular exploits (Cybercriminals release Christmas themed web malware exploitation kit) embedded within a particular kit.
Prior to the official announcement of PSI 1.5, Secunia stated that "patching is more important than having an Anti-Virus program and a personal firewall."
What do you think? Talkback.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Generalizations are always bad ;)
Yes, patching is an important part of a defense-in-depth strategy, but considering the "stopping power" of certain mitigations, such as a disallowed-by-default Software Restriction Policy combined with a low-rights user account, they're getting a little carried away with the sweeping generalizations. Dramatic, but not accurate.
Low-rights user accounts will not work
No, what we need is something like UAC, that makes you CONFIRM that you wish something to install.
Really, every piece of software on a consumer PC should be automatic updated, there is no reason to have the customer have to click on something and then say "Search for update!" anymore.
Low-rights accounts worked well for me
As for home/SOHO users, I support a few of them on an informal basis. The ones I'm supporting seldom install software. They use what they've got. I get them set up with an Admin and non-Admin account, tell them to use the non-Admin account except when they need Admin powers to install/remove software or hardware, and they seem to be able to handle that. There's some stupidly-made software that presumes Admin rights and won't work correctly without them, but it's going to get rare quickly as Vista and Win7 put pressure on the software developers to get with the program (haha).
I agree that it would be great for all consumer software to keep itself up-to-date by default, particularly for a person who normally uses a low-rights account.
This is where Linux wins big time
Unfortunately, I don't believe this could be an option for Windows just because of its proprietary nature.
I should add that there is one thing to be aware of, you will have multiple patches waiting for you [b]every single day[/b]. If people felt that patching once a month was a chore, this will be like torture!! Personally, I never found it to be a burden.
You can control *when* patching occurs
I'm on Ubuntu 9.04 and the patches come along every few days, sometimes once a week and only take a few minutes time and besides they run in the background so as to not interfere.
That just gives me a 'warm and comfy' feeling about Windows...
Thank heavens for Ubuntu 9.04 Linux!
Look up Vista security features...
And if Ubuntu actually became a SERIOUS OS...
A simple point of fact is that whichever OS is dominant, or most popular, that will ALWAYS be the target for most viruses. In other words, if say Ubuntu became a serious player in the OS world, you'd be seeing a lot of viruses targeting it. And considering most Linux distros are open source, it would be a damn easy process for a malware writer to examine the basecode for potential vulnerabilities.
Ubuntu is already a serious contender
Dell and HP have seen its potential and are already firing it out on their systems AND people are buying it.
Anyone see the major flaw in this survey ?
Ecosystem Improvement
Suppose that Secunia's PSI was modified slightly to suggest and support the installation of a basic set of applications for a new PC. Offering say:
IE, Chrome, Safari, Opera, Firefox
AVG, MSE, ...
Flash
Silverlight
JRE
Acrobat Redaer, Foxit, ...
You know - the usual suspects - and not much more to keep it simple.
So when you first boot up your new PC, PSI offers to install the basic applications of your choice (note YOUR choice). Not only does this guide the average user ... it leaves PSI running in the background to prod him about application updates (switching off prodding can of course be selected).
In other words M$ Update and PSI complement each other to keep systems current.
Hardening a system is more important than patching & AV
A properly hardened system with a user who is aware of how to safely use the computer is by far the best scenario.
Hardening = moat, Unpatched 3rd party app = open draw bridge
Secunia makes a great product: OSI & PSI
Guadeloupe in South America?
It seems some guys at Secunia (and maybe at ZDnet) have missed some Geography classes at school...
This talkback post was brought to you from Brazil, which most definitely IS indeed in South America! :-)
RE: Secunia: Average insecure program per PC rate remains high
RE: Secunia: Average insecure program per PC rate remains high
KEN
Why it Matters, What You can Do!
http://download.cnet.com/AppGuard/3000-2239_4-10912598.html
Some insecure programs may not put your computer at risk
RE: Secunia: Average insecure program per PC rate remains high
<a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>