Secunia gathered data during the past week from 20,000 new users (mostly consumers) of its free Secunia PSI 1.0 vulnerability scanner and found that 98.09 percent of them had one or more insecure software programs installed on their systems. That means the machine didn't have the latest version of the software that had fixed one or more vulnerabilities, according to Secunia.
Why such a grim outcome? "There are two reasons: The primary is that we've reached a broader audience who are not aware of the need for patching. Even those who do patch only patch the most obvious things, like the operating system, their browsers, media players, and perhaps instant messaging programs," says Thomas Kristensen, CTO of Secunia. "Another reason may be that no matter how thorough you are in a manual process, you are bound to miss a few programs simply because they aren't listed in the Add/Remove programs in the Control Panel."
According to Secunia, 30.27 percent of users had one to five insecure programs on their machine, 25.07 percent had six to 10, and 45.76 percent had 11 or more insecure software programs running on their machines.
Security experts say the biggest culprit here is third-party applications, which many users don't bother to update -- or even realize they need to do so. "It really is probably worse. I suspect that if only Windows patches were measured, the numbers would have been in excess of 80 percent of users being patched. But Secunia is including third-party apps, and user knowledge of the need to patch all of these is probably less than 2 percent," says Randy Abrams, director of technical education for Eset. "This is exactly why there are so many malicious programs exploiting third-party programs."
Even so, leaving some lower-profile third-party apps unpatched isn't a major risk, notes Richard Stiennon, chief research analyst at IT-Harvest. "For some it doesn't matter in the big picture...there aren't going to be any exploits," he says. "You've got to focus on updating Windows, QuickTime, Adobe, maybe iTunes, your AV signatures," and the high-profile software programs, he says. "Not everybody is getting everything patched perfectly, but the world still works."
Jakob Balle, IT development manager for Secunia, blogged yesterday that the numbers are actually "best-case" scenarios, mainly because Secunia PSI users are probably more security-minded, and that the data did show when a PSI user had been cleaned up previously and was just rescanning. PSI 1.0 is installed on 850,000 PCs worldwide, according to Secunia.
Eset's Abrams notes that while the nearly 2 percent "clean" statistic is likely a best-case when you include third-party applications, users who regularly patch probably don't use the tool. "The users who keep on top of what needs to be patched are not as likely to use Secunia's software, so they won't show up significantly in the stats," he says. "Twenty-thousand users probably has a very wide statistical margin of error when you consider the number of PCs out there, but in this case it would seem probable the error is on the side of optimism."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message