Secunia: Less than 2% of Windows PCs fully patched

Secunia: Less than 2% of Windows PCs fully patched

Summary: It's long been established that the unpatched state of the Windows monoculture is the reason we are facing a malware epidemic.Yet, the latest vulnerability patching statistics from Secunia's PSI (Personal Software Inspector) is a major eye-opener for everyone tracking the security of the Windows ecosystem.

SHARE:

An unpatched (Windows) monocultureIt's long been established that the unpatched state of the Windows monoculture is the reason we are facing a malware epidemic.

Yet, the latest vulnerability patching statistics from Secunia's PSI (Personal Software Inspector) is a major eye-opener for everyone tracking the security of the Windows ecosystem.  According to data culled from 20,000 users of the free software inspector, about 98% of all installed/detected applications are vulnerable to a known security flaw.

These stats confirm a scary reality and, when you compare them with information released by Secunia last May (when the unpatched count stood at 28%), you get a real sense of just how easy it is for malware writers to hit wide open targets.

The total number of PCs/users included in these numbers are 20,000, out of these 98.09% have 1 or more insecure programs installed on their PC, hence: 98 out of 100 PCs that are connected to the Internet have insecure programs installed!

[ SEE: Ten free security utilities you should already be using ]

Secunia defines an "insecure program" as a piece of software for which there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user have yet to install the secure version.

From Secunia's blog:

  • No insecure programs:  1.91% of Windows machines
  • 1-5 insecure programs:  30.27% of PCs
  • 6-10 insecure programs: 25.07% of PCs
  • 11+ insecure programs: 45.76% of PCs

[ SEE: Secunia launches pay-as-you-go exploit shop ]

The company did not identify the applications on the list of "insecure programs" but it's a safe bet it involves the most widely deployed software programs like Adobe Acrobat/Reader, Adobe Flash, RealNetworks' RealPlayer, WinZip, QuickTime and Web browsers.

* Image source: Maggiejumps' Flickr photostream (Creative Commons 2.0)

Topics: Security, CXO, Hardware, Malware, Operating Systems, Software, IT Employment, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • PSI program is a real eyeopener

    I have been using this freeware on my home network (3 notebooks and a tower) for the last month, starting with the last Beta release before installing V1.0.0.1 which is the first full release and all I can say is simply this, INSTALL IT NOW!!
    I started with about 6 insecure and 2 end of life warnings and with about 30 minutes work I had my main machine patched to 100% and the others took a little less time as I became comfortable using its features.
    This program is very user friendly and so far I have not found any problems using it to remove even the most obscure program or patching others up.
    Try it and you will probably be surprised at the number of possible weak areas and it also gives you a threat level from 1-5, which helps decide a course of action. Again, it is probably the best download in a very long time and at no cost. Can't beat it.
    THX 1138
    • Misleading report, though

      First, the title implies that the problem is patching Windows:

      Secunia: Less than 2% of Windows PCs fully patched

      but the actual difficulty is third-party applications running on Windows.

      Then, the definition of vulnerable requires identifying the most recent versions of many pieces of software:

      Secunia defines an ?insecure program? as a piece of software for which there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user have yet to install the secure version.

      [End quote]

      As anyone who uses software to check for the most recent version knows, there are problems with correctly identifying the most recent - applicable - version and the version which is actually present on the pc.

      A quick example of the first is an update applicable to the Vista version of the software which is being checked for on a pc running XP.

      A quick example of the second is a software update which incorrectly changes the registry to record the version installed. Or doesn't change the registry at all.

      Software which checks third-party applications for updates can produce false results in a large percentage - meaning 40%, for example - of the listings given.

      This check for updates would be more accurate if it were limited to a few pieces of software in widespread use in which accurate recording of the results could be assured directly.


      There are problems with people keeping software updated. Some of the causes are reasonable, as when an older device cannot run a new version. But most are just If it works don't fix it. That said, this check of pc's has difficulty with both its sample (the sort of people who use this software vs the general population) and in assuring accuracy of the number of identified problem pc's.
      Anton Philidor
      • So there's problems..

        .. what software DOESN't have problems. (If anyone says Ubuntu I swear...BAM!!!! Right in the kisser!)

        Anyway, point is, this software is indeed great. Not even for the vulnurability stuff since I keep all my often used apps patched (actually most of the mainstream ones I use either self update or at least will check and inform me that theres a new version available for download). It's the little obscure apps that aren't often used that tend to go out of date in my experience and for those, the PSI software is excellent. Yes, sometimes it gives false results. Fine. It still gives you a good idea as to what area to look into. I think of it as a quality control device that will hopefully snag things that I personally missed. If theres a few apps missed by both me and PSI, then they really are so obscure that I probably either A) have no more use for them or B) by the time I use the app again, the fact that its out of date will be painfuly obvious.

        Finally, I see no reason to go bashing a piece of software that legitimatly tries to get people to patch their out of date software, even if it does so with less then perfect accuracy. Its free, it works for major mainstream 3rd party apps, it saves you the headache of checking everything yourself. What does one have to lose?


        "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
        gnesterenko
        • Caveats

          Those automatic update checkers run as services. When responsiveness declines, they're appropriately among the first turned off.

          We both check for updates carefully, and are willing to accept false positives as minor inconveniences. But would you expect users who consider updating a waste of time to be so patient? Assuming they were willing to learn of and install this software at all.

          This software is a good idea, I agree. But the article uses the data the software gathered and gratuitous description of Windows as a monoculture and some ambiguous phrasing to make un-updated third party software a criticism of Windows. That's misleading.
          Anton Philidor
  • There's a simple solution to all of this.

    Click <a title="for a safe PC..." href="http://www.ubuntu.com/GetUbuntu/download">here.</a>

    Anyway, all of this is about people not upgrading to the latest version when the update is free? That's old news, its called "using what seems to work so far."
    T1Oracle
    • The above statement is false

      For anyone who wants to do any mainstream gaming on their PC. GG.
      gnesterenko
    • Ubuntu not the answer to everything

      Since you apparently have no clue how the secunia scabn software works, it scans ALL of the software installed on the system, against it's own database, and reports any software which is not at the latest release version, or which has known, publushed security issues, as being unsafe. This includes the latest versions of several popular programs, including Acrobat and Java. They labeled the version of Java I have installed as being insecure/requiring an update two days before Sun released the next version. The 2% unpatched number could therefore be tiny bit misleading (based on the date of this report and the date of the two day time gap between the software being reported as needing a patch and the patch being available).
      medezark@...
    • Ubuntu Sucks

      When the Xserver, AIGLX and Nvidia can get their refresh rate problems worked out, then I might be inclined to change my opinion. Even the easiest to use Linux distro is more of a PIA to install and set up properly than Vista ever was.
      soonerproud
  • RE: Secunia: Less that 2% of Windows PCs fully patched

    Microsoft's patch management is abysmal !!

    If M$ supplied tiny.. 512 or less byte un-installable patches I might be inclined to trust them. But that is not the case. Their is no real way to uninstall and compare OS files to the original disk.

    Instead M$ swaps out major sections of the OS/APPS/Libaries (Which have the kitchen sink of changes thrown into them).

    Throw in the lame ass registry and the nightmare is complete.

    There is simply NO WAY to retest the users applications for anomolies after M$ installes a bunch of patches. (Way too frequent and wayyyy to large.)


    Instead.. I place my trust in External firewalls & non MS applications. Severely limiting the use of M$ applications talking to the Internet. No Lookout, or IE. Use Firefox(w antispam plugins), Opera and non-MS email apps.

    In summary.. Don't expose M$ OS or Applications directly to the wild and wooly internet and you'll minimised the need to be sucked into M$ patch nightmare.
    thetruth_z
    • Bad logic

      In summary... you don't need to wear a condom if you don't sleep with prostitutes.

      Naive.. unless you stay off of ALL NETWORKS ALL THE TIME, your vulnerable because eventually someone will bring the malware TO YOU on your network from the Internet. All you have to do is connect to someone else via NTLM v1.0 (default) which is a reciprocating authentication (If you trust me and I'll trust you). bye-bye firewalls.
      Brian G
    • Another clueless poster.

      [i]If M$ supplied tiny.. 512 or less byte un-installable patches I might be inclined to trust them.[/i]

      512 byte patches? Name one current OS that has 512 byte patches.

      Uninstalling patches is easy: Go to the "Add/Remove Programs" control panel and check the box labelled "Show Updates". Then select the update you want to remove and click the "Remove" button that appears.

      As for trust Microsoft is no worse than other vendors when it comes to patch reliability. I have no qualms installing patches on my workstation systems. For servers, especially critical ones, I recommend patches be tested first. And this applies to any OS.
      ye
      • That is so not true

        [i]As for trust Microsoft is no worse than other vendors when it comes to patch reliability. [/i]

        That's a big, fat half-truth at best. I used to look forward to the day after patch Tuesday because I knew there would be a lot of new business.

        The MS environment is so complex that when MS patches something there's no way to know all the ramifications of what will happen in your infrastructure. You'd probably argue that isn't MSFT's fault, but I'd counter that it stems from decisions they made long ago to favor interoperability over security.

        So, No_Ax, or Bit_Byte or whatever you're calling yourself these days, you're conveniently glossing over some major work and expense involved with using MS products. Whether by design or a painful weight of legacy applications coded, to the sloppy standard of their day, you can count on something to stop working when patch day rolls around. Otherwise you have to pay dedicated personnel to do nothing but test patches. That requires a model office or a dev environment that mirrors the production system. A big expense in a MS shop. And where's the payoff for all that extra work and expense? There isn't one. You have to do all that just to keep your environment working right with some comical imitation of security.

        Not to mention all the applications of letting you pay over and over for the privilege of upgrading applications written for older versions of Windows.

        I really don't believe you've run a system built on open source architecture.
        Chad_z
        • Your response was just more of the same FUD.

          Unless you can demonstrate MS patches cause more problems than any other vendor. Can you?
          ye
          • You can't prove...

            ...that MS patches are no worse than other OS's anymore than he can prove the opposite by posting on this site. However in the real world we all know which boxes you have to watch when the patches roll around and which ones don't require so much attention.
            storm14k
          • The burden of proof is on the both of your shoulders.

            He has to support his claim. It's not up to me to support the opposite point of view.
            ye
        • That is a load of BS

          [i]That's a big, fat half-truth at best. I used to look forward to the day after patch Tuesday because I knew there would be a lot of new business.[/i]

          I have had no problems on our systems after they are patched, so how is it that an out and out open source proponent like yourself, who openly admits that you dislike anything Microsoft, have a lot of new business the day after they are patched?

          You do not, but you do have an agenda.
          GuidingLight
    • The problem is NOT the MS applications, it is all of the OTHER applications

      which people download and install on their own.
      DonnieBoy
      • You really don't expect users to fall for M$

        perpetual leasing scheme?? Do you??

        Users want to download or install an application, and just have it work in a consistent, accurate, perdictable manor.

        They don't want to pay for new features, especially if they break or change the existing functions/features, lock them in, or suck their operations budget dry.

        Nearly all profit seeking software organizations cease supporting the older applications the moment they produce a new version. Thus it is imperitive that users Freeze the OS configuration in a known Working state.

        That is nearly an impossible task with M$ current patch scheme. (Except shutting off patch updates and blocking ALL outside access to M$ Apps and OS functions).
        thetruth_z
        • I agree that MS is a big part of the problem for not creating a trusted

          repository. And, nobody would trust them to do it now anyway.

          But, MS does a "reasonable" job now of taking care of the OS and their own applications. Sure, it could be better.
          DonnieBoy
        • not so much...

          Spot on throughout except this paragraph:

          [i]Users want to download or install an application, and just have it work in a consistent, accurate, perdictable manor. [/i]

          I, for one, expect my application to improve over time, increasing in compatibility, speed, and sometimes utility while reducing possible errors. A lot of the complaints I read here rail against the fundemental nature of the Windows environment.

          To me its like someone saying "I shouldn't be bothered to go through the hassle of changing oil on my car, so I won't." And then, when problems beging to crop up, the same someone blames the auto-maker. The reality of Windows is that patching your OS AND your third party apps is a habit you have to get into if you want to avoid all sorts of headaches. If you don't want to go through the hassle, by all means, there is Apple (which will cost you more), or Linux (which will cost you a lot less, but you have to live with a bunch of new apps to replace all the ones you used to use, assuming you find a replacement, and said replacement is unlikely to have the full functionality of the original. BUT, this car WILL change its own oil.) Its up to the user to make an informed decision as to which user segment he/she falls into. Naturally many continue to make UNinformed decisions and to them I say this: Buyer beware!

          "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
          gnesterenko