If your PC picks up a virus, whose fault is it?

Want to stay safe online? Update your software. All of it.

Two recent studies add tremendous evidence to support the notion that regular patching is the single most important element in any security program. In fact, a fully patched system with a firewall enabled offers almost complete protection against viruses, worms, and other malicious software being installed without user interaction.

First up is an exhaustive two-year study that was completed last year but only recently published. The study's results were presented by independent security researcher Craig S Wright at the Computer Audit Control Security conference in Australia last month.( A copy of the full report is available in the SANS Reading Room.)

The test involved more than 640 hosts running Windows XP Professional with no third-party applications and with auto-updating disabled. With the Windows firewall turned off, the mean time before a host was compromised was just over 18 hours, with the Conficker worm doing more than its fair share of damage.

Also read:

• Trojans, viruses, worms: How does malware get on PCs and Macs?
• Why malware networks are beating antivirus software
• Stay safe online: 5 secrets every PC (and Mac) owner should know

But once a firewall was turned on—the default configuration for every Windows system shipped in the past seven years—the numbers changed dramatically:

With the firewall enabled, the mean survival time of the Windows XP SP2 systems increased to 336 days. No system with this control enabled was compromised in less than 108 days.

And even that vastly improved number overestimates the extent of the problem. Remember, these sample PCs had auto-updating disabled. So how were outside attackers able to break in?

In the results of the 640 hosts that were used for this experiment, no system was compromised with a zero-day attack. Many new and novel attacks against known vulnerabilities did occur, but not a single compromise was due to an unreported vulnerability. Further, no attack without a patch was used to compromise any of the systems. This means that if the systems had been patched, none of the attacks would have succeeded.

That study covered Windows XP, but the report notes that the conclusions should apply to Windows Vista and Windows 7 equally well.

In an additional experiment, the researchers deliberately configured Windows XP SP2 systems with a set number of critical vulnerabilities (chosen from the SANS Top 20 vulnerability list) and left those hosts unpatched. The results?

[T]he greater the number of vulnerabilities that a system has, the faster it is compromised. No system with six (6) or more unpatched network accessible vulnerabilities remained uncompromised for more than 15 days. A compromise occurred in as little as four (4) days on systems with two (2) vulnerabilities. A system with no critical vulnerabilities can be expected to survive for several months even without administrative interaction ...

As the report notes, each of these vulnerabilities was known. Proper patching and anti-malware or other system security software would have stopped the attacks cold.

That study deliberately left out human interaction. So what's the risk from drive-by attacks in Web browsers?

A second study, conducted over a three-month period this year in Denmark by CSIS Security Group, examined that very question. The researchers collected real-time data from a sample of more than 500,000 user exposures to poisoned web sites. These sites were rigged using so-called exploit kits—underground tools used by criminals to exploit vulnerabilities in popular software. According to CSIS, this type of attack accounts for up to 85% of all virus infections in the wild.

The result? Users who were infected became victims because they were missing security updates, typically for third-party programs.

On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer.

The most striking part of all is the list of vulnerabilities used by these exploit kits. Of the 12 entries that made up the list, five had been patched a full year earlier, and half involved vulnerabilities that had been identified and fixed between 2004 and 2008.

The authors conclude: "[A]s much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages."

Windows Update covers the specific Microsoft vulnerabilities in that study. The real weak link is in third-party software, especially Adobe products and Oracle's Java. If you want to maintain a secure computing environment, make sure those products are updated regularly.