Secunia: Average insecure program per PC rate remains high

Secunia: Average insecure program per PC rate remains high

Summary: With the time frame for an exploit to become an inseparable part of a web malware exploitation kit shrinking, and with the average Internet user's over-confidence in an antivirus scanner's ability to detect and block exploits (Secunia: popular security suites failing to block exploits) it shouldn't come as a surprise that Secunia's recently released WorldMap shows a relatively high rate for insecure programs found on a single PC.

SHARE:
TOPICS: Hardware, Security
20

With the time frame for an exploit to become an inseparable part of a web malware exploitation kit shrinking, and with the average Internet user's over-confidence in an antivirus scanner's ability to detect and block exploits (Secunia: popular security suites failing to block exploits) it shouldn't come as a surprise that Secunia's recently released WorldMap shows a relatively high rate for insecure programs found on a single PC.

The WorldMap of patched and unpatched PCs is released prior to an updated version of Secunia's Personal Software Inspector, with the latest version finally filling a niche left open potentially undermining the usefulness of the handy tool in general - measuring the exploitability of cross-browser plugins such as Adobe Flash Player, QuickTime, or Sun's Java.

Let's take a look at some of their stats.

North America is led by Cuba with 15 insecure programs on average, and with 4 insecure programs on average, Canada and Mexico lead the U.S which has 3 insecure applications installed per PC. However, Secunia's emphasis on the big picture points out that there are at least 2.7 billion vulnerable programs installed in the U.S alone.

Mikkel Winther comments:

The fact that US based PC users have more than 2.7 billion vulnerable programs installed are shocking! And quite frankly I am very surprised, we had an idea it would be bad, but couldn't imagine the enormous scope of this problem. And to make things even worse, the picture formed in the US is the same all over the world. PC users need to patch! They need to patch all their vulnerable programs and they need to do so as fast as possible after the patch has been issued from the vendor. Failing to do so is playing Russian Roulette with your IT security – it is only a question about time – and luck – when your system will be compromised.

South America is led by Guadeloupe with 12 insecure programs in average, San Marino with its 11 insecure programs on average leads Europe, and Yemen with 12 insecure programs on average tops Asia's chart. These results should be considered as very conservative, with the real data itself much more disturbing if only all the Internet users in these countries were running the PSI.

Despite the fact that according to Secunia's WorldMap there are countries like Burkina Faso with 20 insecure programs per PC, or Cuba with 15, it only takes a single unpatched application or a browser plugin in order for the cybercriminal to successfully exploit the host on-the-fly through a mix of popular exploits (Cybercriminals release Christmas themed web malware exploitation kit) embedded within a particular kit.

Prior to the official announcement of PSI 1.5, Secunia stated that "patching is more important than having an Anti-Virus program and a personal firewall."

What do you think? Talkback.

Topics: Hardware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • Generalizations are always bad ;)

    I see Secunia quoted as saying "Failing to do so is playing Russian Roulette with your IT security ? it is only a question about time ? and luck ? when your system will be compromised."

    Yes, patching is an important part of a defense-in-depth strategy, but considering the "stopping power" of certain mitigations, such as a disallowed-by-default Software Restriction Policy combined with a low-rights user account, they're getting a little carried away with the sweeping generalizations. Dramatic, but not accurate.
    mechBgon
    • Low-rights user accounts will not work

      Too many people would need to keep on punching in a password to install things, which they do not wish to do.

      No, what we need is something like UAC, that makes you CONFIRM that you wish something to install.

      Really, every piece of software on a consumer PC should be automatic updated, there is no reason to have the customer have to click on something and then say "Search for update!" anymore.
      Lerianis2
      • Low-rights accounts worked well for me

        As a systems administrator at a non-profit agency, I gave all employees low-rights user accounts. It worked quite well for us. The employees had no business attempting to install software, so the fact that it would've required a password was a case of "no harm, no foul."

        As for home/SOHO users, I support a few of them on an informal basis. The ones I'm supporting seldom install software. They use what they've got. I get them set up with an Admin and non-Admin account, tell them to use the non-Admin account except when they need Admin powers to install/remove software or hardware, and they seem to be able to handle that. There's some stupidly-made software that presumes Admin rights and won't work correctly without them, but it's going to get rare quickly as Vista and Win7 put pressure on the software developers to get with the program (haha).

        I agree that it would be great for all consumer software to keep itself up-to-date by default, particularly for a person who normally uses a low-rights account.
        mechBgon
  • This is where Linux wins big time

    If you restrict yourself to only installing things from reputable repositories, Linux users get updates for [b]all[/b] programs through 1 interface. For that reason, I believe Linux is the only one that would do relatively well were it ever to get 90% marketshare. As the last couple PWN2OWNs have shown, with the exception of OS X, hackers were not able to break in using a default, out of the box install of the OS.

    Unfortunately, I don't believe this could be an option for Windows just because of its proprietary nature.

    I should add that there is one thing to be aware of, you will have multiple patches waiting for you [b]every single day[/b]. If people felt that patching once a month was a chore, this will be like torture!! Personally, I never found it to be a burden.
    NonZealot
    • You can control *when* patching occurs

      But in reality it's not that bad.

      I'm on Ubuntu 9.04 and the patches come along every few days, sometimes once a week and only take a few minutes time and besides they run in the background so as to not interfere.

      Dietrich T. Schmitz
  • That just gives me a 'warm and comfy' feeling about Windows...

    ...NOT!

    Thank heavens for Ubuntu 9.04 Linux!
    Dietrich T. Schmitz
    • Look up Vista security features...

      when you get a chance, it has all the security features of the competition and probably a bit more, but don't let facts interrupt a good mindless anti-windows troll...
      jamesrayg
    • And if Ubuntu actually became a SERIOUS OS...

      Bt I doubt [i]that[/i] will ever happen!! It s afterall the "Linux for dummies", being as inconfigurable as OS X!!

      A simple point of fact is that whichever OS is dominant, or most popular, that will ALWAYS be the target for most viruses. In other words, if say Ubuntu became a serious player in the OS world, you'd be seeing a lot of viruses targeting it. And considering most Linux distros are open source, it would be a damn easy process for a malware writer to examine the basecode for potential vulnerabilities.
      kaninelupus
      • Ubuntu is already a serious contender

        Ubuntu is already a serious contender. Most people just don't see it because it doesn't involve massive sums of money or they have a vendetta against another other operating system other than the one they personally use. You get as much support and flexibility from the OS as you do from both Apple and Microsoft.

        Dell and HP have seen its potential and are already firing it out on their systems AND people are buying it.
        waynemeat
  • Anyone see the major flaw in this survey ?

    Your average punter in the street has no clue as to what secunia is, it is the more savvy computer user that will most likely use this software so I suspect that actual incidence of insecure programs is much higher.



    Alan Smithie
  • Ecosystem Improvement

    Discussion around the unbundling of IE in Europe on W7 gave me an idea to improve the lot of the 'average user' and the ecosystem thereby.

    Suppose that Secunia's PSI was modified slightly to suggest and support the installation of a basic set of applications for a new PC. Offering say:

    IE, Chrome, Safari, Opera, Firefox
    AVG, MSE, ...
    Flash
    Silverlight
    JRE
    Acrobat Redaer, Foxit, ...

    You know - the usual suspects - and not much more to keep it simple.

    So when you first boot up your new PC, PSI offers to install the basic applications of your choice (note YOUR choice). Not only does this guide the average user ... it leaves PSI running in the background to prod him about application updates (switching off prodding can of course be selected).

    In other words M$ Update and PSI complement each other to keep systems current.
    jacksonjohn
  • Hardening a system is more important than patching & AV

    Hardening a system (disabling unnecessary processes, PROPERLY configuring the firewall for inbound & outbound, etc) is more important than patching (you don't need to patch the server service if it isn't there)... least important is AV. Most important is user education.

    A properly hardened system with a user who is aware of how to safely use the computer is by far the best scenario.
    s_southern
    • Hardening = moat, Unpatched 3rd party app = open draw bridge

      Your hardened OS is going down if you don't secure the applications that run on top of it.
      ejhonda
  • Secunia makes a great product: OSI & PSI

    It's getting people to use it that's the issue, or more importantly getting people to follow up on the PSI results and update the 3rd party software PSI tags as needing updating.
    ejhonda
  • Guadeloupe in South America?

    I had thought it was an overseas French department in the Caribbean. I have seen geographers place the Caribbean as part of Central America, or sometimes as a geographic region of its own, but this is the first time I see it referred to as part of South America. Maybe because if you look it up on a map (or Google Earth), the islands are most definitely to the north of South America and don't fit in it even with a lot of good will.

    It seems some guys at Secunia (and maybe at ZDnet) have missed some Geography classes at school...

    This talkback post was brought to you from Brazil, which most definitely IS indeed in South America! :-)
    goyta
  • RE: Secunia: Average insecure program per PC rate remains high

    I believe that there are millions of PC that have be compromised that are hitting my mail server with spam now in a attempt to find more victims to compromise. I don't know if there is any correlation between insecure computers and spam rates but this article, at least from my mail servers standpoint, the high number of insecure programs in those countries appear to reflect the amount of spam I get from those countries.
    phatkat
  • RE: Secunia: Average insecure program per PC rate remains high

    I find that Secunia generally does a good job, but I find one glaring part that I wish would go away. They keep putting WGA as a major security breach if it is not installed. I have not installed it and do not wish to do so. The pop-up on start always says that I need to install an update and it is always the WGA. UGH!
    KEN
    30bob1
  • Why it Matters, What You can Do!

    If you cannot keep up with all of the security patches required for all of the Apps on your PC, then you need a different type of security product on your PC to stop what your AntiVirus software cannot detect. There are more sophisticated, more complex alternatives than this one. The point is, you need something altogether different than from what you have, which relies on having virus signatures, which are like fingerprints/photographs to stop only KNOWN attacks.

    http://download.cnet.com/AppGuard/3000-2239_4-10912598.html
    eiverson@...
  • Some insecure programs may not put your computer at risk

    I run Secunia and take its suggestions seriously, but sometimes the unpatched software is part of a larger software package. Right now, I have an insecure warning for a small part of Microsoft Works. I don't know how to patch this component and I don't use Microsoft Works so that I'm not going to worry about this alert.
    aa3805@...
  • RE: Secunia: Average insecure program per PC rate remains high

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut