Secunia: Less than 2% of Windows PCs fully patched | ZDNet
Return to Purifyr | View original | Print page

Special Reports

  • Back to school

    It's that time of year again when parents and students scour the planet for the top gear and...

  • Microsoft Windows 7

    Microsoft's Windows 7 arrived in late 2009 and kicked off a PC upgrade cycle that's expected to...

  • Apple WWDC 10

    Apple's top-notch security has managed to keep its new gear out of bars and the contents of...

Secunia: Less than 2% of Windows PCs fully patched

By Ryan Naraine | December 4, 2008, 2:13am PST

It’s long been established that the unpatched state of the Windows monoculture is the reason we are facing a malware epidemic. Yet, the latest vulnerability patching statistics from Secunia’s PSI (Personal Software Inspector) is a major eye-opener for everyone tracking the security of the Windows ecosystem.  According to data culled from 20,000 users of the free [...]

Ryan Naraine

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

It’s long been established that the unpatched state of the Windows monoculture is the reason we are facing a malware epidemic.

Yet, the latest vulnerability patching statistics from Secunia’s PSI (Personal Software Inspector) is a major eye-opener for everyone tracking the security of the Windows ecosystem.  According to data culled from 20,000 users of the free software inspector, about 98% of all installed/detected applications are vulnerable to a known security flaw.

These stats confirm a scary reality and, when you compare them with information released by Secunia last May (when the unpatched count stood at 28%), you get a real sense of just how easy it is for malware writers to hit wide open targets.

The total number of PCs/users included in these numbers are 20,000, out of these 98.09% have 1 or more insecure programs installed on their PC, hence: 98 out of 100 PCs that are connected to the Internet have insecure programs installed!

[ SEE: Ten free security utilities you should already be using ]

Secunia defines an “insecure program” as a piece of software for which there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user have yet to install the secure version.

From Secunia’s blog:

  • No insecure programs:  1.91% of Windows machines
  • 1-5 insecure programs:  30.27% of PCs
  • 6-10 insecure programs: 25.07% of PCs
  • 11+ insecure programs: 45.76% of PCs

[ SEE: Secunia launches pay-as-you-go exploit shop ]

The company did not identify the applications on the list of “insecure programs” but it’s a safe bet it involves the most widely deployed software programs like Adobe Acrobat/Reader, Adobe Flash, RealNetworks’ RealPlayer, WinZip, QuickTime and Web browsers.

* Image source: Maggiejumps’ Flickr photostream (Creative Commons 2.0)

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
  • PSI program is a real eyeopener
    I have been using this freeware on my home network (3 notebooks and a tower) for the last month, starting with the last Beta release before installing V1.0.0.1 which is the first full release and all I can say is simply this, INSTALL IT NOW!! I started with about 6 insecure and 2 end of life warnings and with about 30 minutes work I had my main machine patched to 100% and the others took a little less time as I became comfortable using its features.This program is very user friendly and so far I have not found any problems using it to remove even the most obscure program or patching others up.Try it and you will probably be surprised at the number of possible weak areas and it also gives you a threat level from 1-5, which helps decide a course of action. Again, it is probably the best download in a very long time and at no cost. Can't beat it.
  • Misleading report, though
    First, the title implies that the problem is patching Windows:Secunia: Less than 2% of Windows PCs fully patchedbut the actual difficulty is third-party applications running on Windows.Then, the definition of vulnerable requires identifying the most recent versions of many pieces of software:Secunia defines an ?insecure program? as a piece of software for which there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user have yet to install the secure version.[End quote]As anyone who uses software to check for the most recent version knows, there are problems with correctly identifying the most recent - applicable - version and the version which is actually present on the pc.A quick example of the first is an update applicable to the Vista version of the software which is being checked for on a pc running XP. A quick example of the second is a software update which incorrectly changes the registry to record the version installed. Or doesn't change the registry at all.Software which checks third-party applications for updates can produce false results in a large percentage - meaning 40%, for example - of the listings given.This check for updates would be more accurate if it were limited to a few pieces of software in widespread use in which accurate recording of the results could be assured directly.There are problems with people keeping software updated. Some of the causes are reasonable, as when an older device cannot run a new version. But most are just If it works don't fix it. That said, this check of pc's has difficulty with both its sample (the sort of people who use this software vs the general population) and in assuring accuracy of the number of identified problem pc's.
  • So there's problems..
    .. what software DOESN't have problems. (If anyone says Ubuntu I swear...BAM!!!! Right in the kisser!)Anyway, point is, this software is indeed great. Not even for the vulnurability stuff since I keep all my often used apps patched (actually most of the mainstream ones I use either self update or at least will check and inform me that theres a new version available for download). It's the little obscure apps that aren't often used that tend to go out of date in my experience and for those, the PSI software is excellent. Yes, sometimes it gives false results. Fine. It still gives you a good idea as to what area to look into. I think of it as a quality control device that will hopefully snag things that I personally missed. If theres a few apps missed by both me and PSI, then they really are so obscure that I probably either A) have no more use for them or B) by the time I use the app again, the fact that its out of date will be painfuly obvious.Finally, I see no reason to go bashing a piece of software that legitimatly tries to get people to patch their out of date software, even if it does so with less then perfect accuracy. Its free, it works for major mainstream 3rd party apps, it saves you the headache of checking everything yourself. What does one have to lose?"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
  • Caveats
    Those automatic update checkers run as services. When responsiveness declines, they're appropriately among the first turned off.We both check for updates carefully, and are willing to accept false positives as minor inconveniences. But would you expect users who consider updating a waste of time to be so patient? Assuming they were willing to learn of and install this software at all.This software is a good idea, I agree. But the article uses the data the software gathered and gratuitous description of Windows as a monoculture and some ambiguous phrasing to make un-updated third party software a criticism of Windows. That's misleading.
  • There's a simple solution to all of this.
    Click here.Anyway, all of this is about people not upgrading to the latest version when the update is free? That's old news, its called "using what seems to work so far."
  • Ubuntu not the answer to everything
    Since you apparently have no clue how the secunia scabn software works, it scans ALL of the software installed on the system, against it's own database, and reports any software which is not at the latest release version, or which has known, publushed security issues, as being unsafe. This includes the latest versions of several popular programs, including Acrobat and Java. They labeled the version of Java I have installed as being insecure/requiring an update two days before Sun released the next version. The 2% unpatched number could therefore be tiny bit misleading (based on the date of this report and the date of the two day time gap between the software being reported as needing a patch and the patch being available).
  • Ubuntu Sucks
    When the Xserver, AIGLX and Nvidia can get their refresh rate problems worked out, then I might be inclined to change my opinion. Even the easiest to use Linux distro is more of a PIA to install and set up properly than Vista ever was.
  • RE: Secunia: Less that 2% of Windows PCs fully patched
    Microsoft's patch management is abysmal !! If M$ supplied tiny.. 512 or less byte un-installable patches I might be inclined to trust them. But that is not the case. Their is no real way to uninstall and compare OS files to the original disk. Instead M$ swaps out major sections of the OS/APPS/Libaries (Which have the kitchen sink of changes thrown into them). Throw in the lame ass registry and the nightmare is complete. There is simply NO WAY to retest the users applications for anomolies after M$ installes a bunch of patches. (Way too frequent and wayyyy to large.) Instead.. I place my trust in External firewalls & non MS applications. Severely limiting the use of M$ applications talking to the Internet. No Lookout, or IE. Use Firefox(w antispam plugins), Opera and non-MS email apps. In summary.. Don't expose M$ OS or Applications directly to the wild and wooly internet and you'll minimised the need to be sucked into M$ patch nightmare.
  • Bad logic
    In summary... you don't need to wear a condom if you don't sleep with prostitutes. Naive.. unless you stay off of ALL NETWORKS ALL THE TIME, your vulnerable because eventually someone will bring the malware TO YOU on your network from the Internet. All you have to do is connect to someone else via NTLM v1.0 (default) which is a reciprocating authentication (If you trust me and I'll trust you). bye-bye firewalls.
  • Another clueless poster.
    If M$ supplied tiny.. 512 or less byte un-installable patches I might be inclined to trust them.512 byte patches? Name one current OS that has 512 byte patches.Uninstalling patches is easy: Go to the "Add/Remove Programs" control panel and check the box labelled "Show Updates". Then select the update you want to remove and click the "Remove" button that appears.As for trust Microsoft is no worse than other vendors when it comes to patch reliability. I have no qualms installing patches on my workstation systems. For servers, especially critical ones, I recommend patches be tested first. And this applies to any OS.
  • That is so not true
    As for trust Microsoft is no worse than other vendors when it comes to patch reliability. That's a big, fat half-truth at best. I used to look forward to the day after patch Tuesday because I knew there would be a lot of new business. The MS environment is so complex that when MS patches something there's no way to know all the ramifications of what will happen in your infrastructure. You'd probably argue that isn't MSFT's fault, but I'd counter that it stems from decisions they made long ago to favor interoperability over security. So, No_Ax, or Bit_Byte or whatever you're calling yourself these days, you're conveniently glossing over some major work and expense involved with using MS products. Whether by design or a painful weight of legacy applications coded, to the sloppy standard of their day, you can count on something to stop working when patch day rolls around. Otherwise you have to pay dedicated personnel to do nothing but test patches. That requires a model office or a dev environment that mirrors the production system. A big expense in a MS shop. And where's the payoff for all that extra work and expense? There isn't one. You have to do all that just to keep your environment working right with some comical imitation of security. Not to mention all the applications of letting you pay over and over for the privilege of upgrading applications written for older versions of Windows. I really don't believe you've run a system built on open source architecture.
  • Your response was just more of the same FUD.
    Unless you can demonstrate MS patches cause more problems than any other vendor. Can you?
  • You can't prove...
    ...that MS patches are no worse than other OS's anymore than he can prove the opposite by posting on this site. However in the real world we all know which boxes you have to watch when the patches roll around and which ones don't require so much attention.