madison

Add your opinion to: Secunia: Less that 2% of Windows PCs fully patched

Talkback Most Recent of 39 Talkback(s)

  • PSI program is a real eyeopener
    I have been using this freeware on my home network (3 notebooks and a tower) for the last month, starting with the last Beta release before installing V1.0.0.1 which is the first full release and all I can say is simply this, INSTALL IT NOW!!
    I started with about 6 insecure and 2 end of life warnings and with about 30 minutes work I had my main machine patched to 100% and the others took a little less time as I became comfortable using its features.
    This program is very user friendly and so far I have not found any problems using it to remove even the most obscure program or patching others up.
    Try it and you will probably be surprised at the number of possible weak areas and it also gives you a threat level from 1-5, which helps decide a course of action. Again, it is probably the best download in a very long time and at no cost. Can't beat it.
    ZDNet Gravatar
    THX 1138
    4th Dec 2008
  • Misleading report, though
    First, the title implies that the problem is patching Windows:

    Secunia: Less than 2% of Windows PCs fully patched

    but the actual difficulty is third-party applications running on Windows.

    Then, the definition of vulnerable requires identifying the most recent versions of many pieces of software:

    Secunia defines an ?insecure program? as a piece of software for which there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user have yet to install the secure version.

    [End quote]

    As anyone who uses software to check for the most recent version knows, there are problems with correctly identifying the most recent - applicable - version and the version which is actually present on the pc.

    A quick example of the first is an update applicable to the Vista version of the software which is being checked for on a pc running XP.

    A quick example of the second is a software update which incorrectly changes the registry to record the version installed. Or doesn't change the registry at all.

    Software which checks third-party applications for updates can produce false results in a large percentage - meaning 40%, for example - of the listings given.

    This check for updates would be more accurate if it were limited to a few pieces of software in widespread use in which accurate recording of the results could be assured directly.


    There are problems with people keeping software updated. Some of the causes are reasonable, as when an older device cannot run a new version. But most are just If it works don't fix it. That said, this check of pc's has difficulty with both its sample (the sort of people who use this software vs the general population) and in assuring accuracy of the number of identified problem pc's.
    ZDNet Gravatar
    Anton Philidor
    4th Dec 2008
  • So there's problems..
    .. what software DOESN't have problems. (If anyone says Ubuntu I swear...BAM!!!! Right in the kisser!)

    Anyway, point is, this software is indeed great. Not even for the vulnurability stuff since I keep all my often used apps patched (actually most of the mainstream ones I use either self update or at least will check and inform me that theres a new version available for download). It's the little obscure apps that aren't often used that tend to go out of date in my experience and for those, the PSI software is excellent. Yes, sometimes it gives false results. Fine. It still gives you a good idea as to what area to look into. I think of it as a quality control device that will hopefully snag things that I personally missed. If theres a few apps missed by both me and PSI, then they really are so obscure that I probably either A) have no more use for them or B) by the time I use the app again, the fact that its out of date will be painfuly obvious.

    Finally, I see no reason to go bashing a piece of software that legitimatly tries to get people to patch their out of date software, even if it does so with less then perfect accuracy. Its free, it works for major mainstream 3rd party apps, it saves you the headache of checking everything yourself. What does one have to lose?


    "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
    ZDNet Gravatar
    gnesterenko
    4th Dec 2008
  • Caveats
    Those automatic update checkers run as services. When responsiveness declines, they're appropriately among the first turned off.

    We both check for updates carefully, and are willing to accept false positives as minor inconveniences. But would you expect users who consider updating a waste of time to be so patient? Assuming they were willing to learn of and install this software at all.

    This software is a good idea, I agree. But the article uses the data the software gathered and gratuitous description of Windows as a monoculture and some ambiguous phrasing to make un-updated third party software a criticism of Windows. That's misleading.
    ZDNet Gravatar
    Anton Philidor
    4th Dec 2008
  • There's a simple solution to all of this.
    Click here.

    Anyway, all of this is about people not upgrading to the latest version when the update is free? That's old news, its called "using what seems to work so far."
    ZDNet Gravatar
    T1Oracle
    4th Dec 2008
  • The above statement is false
    For anyone who wants to do any mainstream gaming on their PC. GG.
    ZDNet Gravatar
    gnesterenko
    4th Dec 2008
  • Ubuntu not the answer to everything
    Since you apparently have no clue how the secunia scabn software works, it scans ALL of the software installed on the system, against it's own database, and reports any software which is not at the latest release version, or which has known, publushed security issues, as being unsafe. This includes the latest versions of several popular programs, including Acrobat and Java. They labeled the version of Java I have installed as being insecure/requiring an update two days before Sun released the next version. The 2% unpatched number could therefore be tiny bit misleading (based on the date of this report and the date of the two day time gap between the software being reported as needing a patch and the patch being available).
    ZDNet Gravatar
    medezark@...
    4th Dec 2008
  • Ubuntu Sucks
    When the Xserver, AIGLX and Nvidia can get their refresh rate problems worked out, then I might be inclined to change my opinion. Even the easiest to use Linux distro is more of a PIA to install and set up properly than Vista ever was.
    ZDNet Gravatar
    soonerproud
    4th Dec 2008
  • RE: Secunia: Less that 2% of Windows PCs fully patched
    Microsoft's patch management is abysmal !!

    If M$ supplied tiny.. 512 or less byte un-installable patches I might be inclined to trust them. But that is not the case. Their is no real way to uninstall and compare OS files to the original disk.

    Instead M$ swaps out major sections of the OS/APPS/Libaries (Which have the kitchen sink of changes thrown into them).

    Throw in the lame ass registry and the nightmare is complete.

    There is simply NO WAY to retest the users applications for anomolies after M$ installes a bunch of patches. (Way too frequent and wayyyy to large.)


    Instead.. I place my trust in External firewalls & non MS applications. Severely limiting the use of M$ applications talking to the Internet. No Lookout, or IE. Use Firefox(w antispam plugins), Opera and non-MS email apps.

    In summary.. Don't expose M$ OS or Applications directly to the wild and wooly internet and you'll minimised the need to be sucked into M$ patch nightmare.
    ZDNet Gravatar
    thetruth_z
    4th Dec 2008
  • Bad logic
    In summary... you don't need to wear a condom if you don't sleep with prostitutes.

    Naive.. unless you stay off of ALL NETWORKS ALL THE TIME, your vulnerable because eventually someone will bring the malware TO YOU on your network from the Internet. All you have to do is connect to someone else via NTLM v1.0 (default) which is a reciprocating authentication (If you trust me and I'll trust you). bye-bye firewalls.
    ZDNet Gravatar
    Brian G
    4th Dec 2008
  • Another clueless poster.
    If M$ supplied tiny.. 512 or less byte un-installable patches I might be inclined to trust them.

    512 byte patches? Name one current OS that has 512 byte patches.

    Uninstalling patches is easy: Go to the "Add/Remove Programs" control panel and check the box labelled "Show Updates". Then select the update you want to remove and click the "Remove" button that appears.

    As for trust Microsoft is no worse than other vendors when it comes to patch reliability. I have no qualms installing patches on my workstation systems. For servers, especially critical ones, I recommend patches be tested first. And this applies to any OS.
    ZDNet Gravatar
    ye
    4th Dec 2008
  • That is so not true
    As for trust Microsoft is no worse than other vendors when it comes to patch reliability.

    That's a big, fat half-truth at best. I used to look forward to the day after patch Tuesday because I knew there would be a lot of new business.

    The MS environment is so complex that when MS patches something there's no way to know all the ramifications of what will happen in your infrastructure. You'd probably argue that isn't MSFT's fault, but I'd counter that it stems from decisions they made long ago to favor interoperability over security.

    So, No_Ax, or Bit_Byte or whatever you're calling yourself these days, you're conveniently glossing over some major work and expense involved with using MS products. Whether by design or a painful weight of legacy applications coded, to the sloppy standard of their day, you can count on something to stop working when patch day rolls around. Otherwise you have to pay dedicated personnel to do nothing but test patches. That requires a model office or a dev environment that mirrors the production system. A big expense in a MS shop. And where's the payoff for all that extra work and expense? There isn't one. You have to do all that just to keep your environment working right with some comical imitation of security.

    Not to mention all the applications of letting you pay over and over for the privilege of upgrading applications written for older versions of Windows.

    I really don't believe you've run a system built on open source architecture.
    ZDNet Gravatar
    Chad_z
    4th Dec 2008
  • Your response was just more of the same FUD.
    Unless you can demonstrate MS patches cause more problems than any other vendor. Can you?
    ZDNet Gravatar
    ye
    4th Dec 2008
  • You can't prove...
    ...that MS patches are no worse than other OS's anymore than he can prove the opposite by posting on this site. However in the real world we all know which boxes you have to watch when the patches roll around and which ones don't require so much attention.
    ZDNet Gravatar
    storm14k
    4th Dec 2008
  • The burden of proof is on the both of your shoulders.
    He has to support his claim. It's not up to me to support the opposite point of view.
    ZDNet Gravatar
    ye
    4th Dec 2008
  • That is a load of BS
    That's a big, fat half-truth at best. I used to look forward to the day after patch Tuesday because I knew there would be a lot of new business.

    I have had no problems on our systems after they are patched, so how is it that an out and out open source proponent like yourself, who openly admits that you dislike anything Microsoft, have a lot of new business the day after they are patched?

    You do not, but you do have an agenda.
    ZDNet Gravatar
    GuidingLight
    4th Dec 2008
  • The problem is NOT the MS applications, it is all of the OTHER applications
    which people download and install on their own.
    ZDNet Gravatar
    DonnieBoy
    4th Dec 2008
  • You really don't expect users to fall for M$
    perpetual leasing scheme?? Do you??

    Users want to download or install an application, and just have it work in a consistent, accurate, perdictable manor.

    They don't want to pay for new features, especially if they break or change the existing functions/features, lock them in, or suck their operations budget dry.

    Nearly all profit seeking software organizations cease supporting the older applications the moment they produce a new version. Thus it is imperitive that users Freeze the OS configuration in a known Working state.

    That is nearly an impossible task with M$ current patch scheme. (Except shutting off patch updates and blocking ALL outside access to M$ Apps and OS functions).
    ZDNet Gravatar
    thetruth_z
    4th Dec 2008
  • I agree that MS is a big part of the problem for not creating a trusted
    repository. And, nobody would trust them to do it now anyway.

    But, MS does a "reasonable" job now of taking care of the OS and their own applications. Sure, it could be better.
    ZDNet Gravatar
    DonnieBoy
    4th Dec 2008
  • not so much...
    Spot on throughout except this paragraph:

    Users want to download or install an application, and just have it work in a consistent, accurate, perdictable manor.

    I, for one, expect my application to improve over time, increasing in compatibility, speed, and sometimes utility while reducing possible errors. A lot of the complaints I read here rail against the fundemental nature of the Windows environment.

    To me its like someone saying "I shouldn't be bothered to go through the hassle of changing oil on my car, so I won't." And then, when problems beging to crop up, the same someone blames the auto-maker. The reality of Windows is that patching your OS AND your third party apps is a habit you have to get into if you want to avoid all sorts of headaches. If you don't want to go through the hassle, by all means, there is Apple (which will cost you more), or Linux (which will cost you a lot less, but you have to live with a bunch of new apps to replace all the ones you used to use, assuming you find a replacement, and said replacement is unlikely to have the full functionality of the original. BUT, this car WILL change its own oil.) Its up to the user to make an informed decision as to which user segment he/she falls into. Naturally many continue to make UNinformed decisions and to them I say this: Buyer beware!

    "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
    ZDNet Gravatar
    gnesterenko
    4th Dec 2008
  • Still, it is a disaster to make users responsible for knowing about and
    patching vulnerabilities for all applications that they have on the computer. It is also would be a disaster for each application to have its own updater, and users having to click through requests to update/patch.

    And, talking about disasters, this is exactly what we have here.
    ZDNet Gravatar
    DonnieBoy
    4th Dec 2008
  • Same with O$ X and various Linuxe$ out there
    How many updates has Linux had, and at what point does support for an older version continue?

    Is it any different for Apple's operating systems?

    That is nearly an impossible task with those current patch schemes, too.
    ZDNet Gravatar
    GuidingLight
    4th Dec 2008
  • RE: Secunia: Less that 2% of Windows PCs fully patched
    There may be a confusion here in the statistics. Could
    it be that those who use that checker are the least
    likely to keep their machines up to date?
    ZDNet Gravatar
    JayEdgar
    4th Dec 2008
  • The problem is that there is not a software repository, and the years of
    culture of downloading and installing individual programs that are not from a repository, and often do not even have an updater.

    Yes, MS has a repository for their own OS, and applications, but, for the rest of the software it is pure chaos. Some having their own updater, some NOTHING. In the case of nothing, you have to hear in the news that there is a problem, then go looking for an update.

    Ubuntu could do everybody a big favor with a repository of all the free software for Windows, and apt-get / Synaptic for Windows.
    ZDNet Gravatar
    DonnieBoy
    4th Dec 2008
  • Bingo.
    nt
    ZDNet Gravatar
    no_zd_user_name
    4th Dec 2008
  • M$ doesn't have a repository..
    It's often a hodpoge of disjointed downloads and patches. (Many of which update/change features & functions unreleated to the description supplied.)

    And often disappear when M$ decides it's no longer convenient to support or supply them.
    ZDNet Gravatar
    thetruth_z
    4th Dec 2008
  • Yes, there are a lot of trust issues with MS around how they have used
    their repository and the transparency of what they do. But, at least they DO patch the OS and their own applications.
    ZDNet Gravatar
    DonnieBoy
    4th Dec 2008
  • haven't heard of this
    examples?

    Not being sarcastic or whatnot, I just hadn't read much on the above and wasn't aware that MS did something like that on a consistant basis. Want to investigate if its something that actually impacts me/I care about.


    "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
    ZDNet Gravatar
    gnesterenko
    4th Dec 2008
  • Users of Secunia's tool is not a statistically accurate sample of all PCs
    I'd be wary of drawing any conclusions based on Secunia's data, since it's based only on people who choose to run their tool. It's like saying that only 2% of people are healthy by analyzing the health of people in hospitals.

    I'd trust it a lot more if they picked 1000 people at random, got them to install the tool and then used the results.

    Not to say that the results would be necessarily be much different -- just that you can't make overall conclusions based on this.
    ZDNet Gravatar
    PB_z
    4th Dec 2008
  • I would suggest it shows better than reality.
    The only ones who install and use it would be ones who are actually interested in security and have downloaded a tool to enhance it. It probably means that those who are unaware of the tool probably fare even worse than this.

    TripleII
    ZDNet Gravatar
    TripleII-21189418044173169409978279405827
    4th Dec 2008
  • Alternatively.
    It could have been downloaded only by people who beleived they already had a problem. Similar to people going to the doctors because they think something is up with them.

    If you were that interested in security then you would already be aware of being fully patched.
    ZDNet Gravatar
    Bozzer
    4th Dec 2008
  • ehh
    [Edit: ARG. posted this same time as the guy above. Same point, but expanded on.]

    One could argue the other way as well. People who actually chose to run this tool at least are making an effort to get better. Out of the not so random sample that is my group of friends, well over half do not patch ANY of their software unless it forces them to and couldn't care less if it was out of date. To expand on your hospital anology - its been shown that men will AVOID going to the hospital or a doctor even if they feel sick (and this fact is probably the reason our life expectancy is shorter then that of women).

    Anyway, not drawing any conclusions, but I would guess that people that don't make the effort to check their machine for out of date software probably have a lot more out of date software then those that do.

    And again, the software is free and useful. Not perfect, but you have absolutely nothing to loose by at least trying it (ok you have about 15 minutes to loose that it will take you to install and scan your PC. Brutal.)


    "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
    ZDNet Gravatar
    gnesterenko
    4th Dec 2008
  • Maybe
    They downloaded this because they thought their PC was already sick...
    ZDNet Gravatar
    Bozzer
    4th Dec 2008
  • Relevance
    In my organization, for reasons that are not 100% clear to me, we only support IE6. So in our case, 100% would be out of compliance. Even though roughly 50% of our end users use the latest version of FireFox 3.x and seem to prefer that to IE6. The reasons we don't support IE7 is due to compatibility with "home grown apps" that use a web browser and IE7 breaks those apps, for reasons that are not obvious to me. The weird thing is, the apps work better in Firefox 3.x than they do in IE6. These are legacy applications such as a time card system that is rather ancient, some old AS400 apps that we use a browser to access and some of our internal web sites that are "old school". While I understand IE6 has issues, if every other product has been fully patched and updated, except for the IE6 issues, are we really all that insecure?

    Just wonderin'.... wink
    ZDNet Gravatar
    ThePrairiePrankster
    4th Dec 2008
  • LINUX SECURITY = OBSCURITY and nothing more...
    Plus the lack of third-party applications that is the main contributor of vulnerabilities in Windows. Zealots make you believe that their 0.7% desktop share or the lack of usable applications is not the reason for their "perceived security". But that's just a lie they love to propagate in tech sites like Zdnet. All OS and the applications that run on them are vulnerable since all are created by humans. Claining otherwise is plain bull crap...
    ZDNet Gravatar
    transposeIT
    4th Dec 2008
  • As Are You
    People like you have been spewing the same crap since 1998, and Linux continues to grow in popularity.

    Keep on using your malware-infested garbage.
    ZDNet Gravatar
    itanalyst2@...
    4th Dec 2008
  • Advertisement Posing as Article
    This is what we already know. Stop pitching one product in your articles, because I can't take them seriously if you do.

    This was deliberately set up to pitch the software by Securnia. Granted, the article has some relevant information so it is not an entire loss, but how many people will sift through the information objectively.
    ZDNet Gravatar
    nucrash
    5th Dec 2008
  • RE: Secunia: Less that 2?of Windows PCs fully patched
    good article , I think
    www.hey-b2b.com
    ZDNet Gravatar
    heyb2b
    5th Dec 2008
  • RE: Secunia: Less that 2% of Windows PCs fully patched
    Well done! Thank you very much for professional templates and community edition
    seslisohbet seslichat
    ZDNet Gravatar
    birumut
    5th May

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Click Here