Users are patching Windows, but QuickTime and Java vulnerabilities remain, says Secunia

Secunia's latest reports of software vulnerabilities on PCs running Microsoft Windows should prompt users to patch all their software, and uninstall both Apple QuickTime and Oracle Java.

secunia report cover image

From the cover of the Vulnerability Review 2016 by Secunia Research at Flexera Software

More Microsoft Windows users are installing patches, but the Oracle Java and Apple QuickTime problems are even worse than they were last year, according to Secunia reports on this year's first quarter. People may think their PCs are secure because they are running Windows Update, but most are still at risk because of vulnerabilities in third-party applications.

Secunia's numbers are based on Windows PCs running its free Personal Software Inspector, so they only represent a subset of the market. Because PSI prompts people to update vulnerable software, most non-PSI users are probably in a worse position.

In the January-March quarter, 93.9 percent of UK users had patched their Windows operating system, and 96.2 percent had patched other Microsoft software, such as Microsoft Office (PDF). However, 11.9 percent still had unpatched third-party software. The figures for the USA were slightly worse: 93.5 percent had patched the OS, 96.1 percent had patched other Microsoft software, and 12.7 percent had unpatched third-party software (PDF).

The major problems are Apple's QuickTime and iTunes, Oracle Java JRE, and Adobe Reader.

In the UK, for example, unpatched Java installations climbed from 36 to 41 percent compared with the first quarter of last year, and unpatched QuickTime installations increased from 55 to 61 percent. Fortunately, for most users, both programs can be uninstalled without a significant penalty. (Adobe Creative Suite users may have a QuickTime problem.)

Java is a long-running problem, but things may improve. Oracle has been forced by the US FTC to apologise for deceiving users about its security updates, and it has been obliged to link to a tool that uninstalls old versions.

Adobe Reader is another long-running problem: it had 121 vulnerabilities, which is almost as many as Apple iTunes (130). Sadly, more than half the Adobe Reader installations were unpatched.

QuickTime for Windows is a growing problem because Apple has finally given up on it. Unfortunately, many users may have missed the security alerts, eg from US-CERT.

Bar chart of apps vs vulnerabilities

Microsoft provides almost 70 percent of the software on Windows PCs (orange, left) while non-Microsoft programs have almost 80 percent of the vulnerabilities (green, right).

Secunia Research at Flexera

In its full report, available free on request, Secunia noted at Microsoft provided 67 percent of the Top 50 applications running on PCs but third-party programs suffered 79 percent of the vulnerabilities. (The table below shows the 20 most-commonly installed programs.)

In the Top 50 programs, patches were already available for 84.6 percent of the vulnerabilities found, and there were 23 zero-day vulnerabilities, compared to 20 in 2014.

There are two obvious conclusions. First, far fewer PCs would be compromised by malware if users patched all their software. Second, there would be fewer vulnerabilities if third-party suppliers such as Adobe, Apple and Oracle were as good as Microsoft at writing secure software.

Footnote: Since I last wrote about Secunia, which is based in Denmark, it has been taken over by Flexera Software, an American company best known for software asset management and licensing compliance programs used by large companies.

Secunia table of top 20 programs
Secunia Research at Flexera