Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

Secunia: Less Than 2 Percent Of PCs Are Fully Patched, Protected

More than 45 percent have in excess of 10 insecure applications running on their machines

Fewer than 2 percent of Windows PCs are fully patched with updated and secured software, according to new data gathered by Secunia.

Secunia gathered data during the past week from 20,000 new users (mostly consumers) of its free Secunia PSI 1.0 vulnerability scanner and found that 98.09 percent of them had one or more insecure software programs installed on their systems. That means the machine didn't have the latest version of the software that had fixed one or more vulnerabilities, according to Secunia.

Why such a grim outcome? "There are two reasons: The primary is that we've reached a broader audience who are not aware of the need for patching. Even those who do patch only patch the most obvious things, like the operating system, their browsers, media players, and perhaps instant messaging programs," says Thomas Kristensen, CTO of Secunia. "Another reason may be that no matter how thorough you are in a manual process, you are bound to miss a few programs simply because they aren't listed in the Add/Remove programs in the Control Panel."

According to Secunia, 30.27 percent of users had one to five insecure programs on their machine, 25.07 percent had six to 10, and 45.76 percent had 11 or more insecure software programs running on their machines.

Security experts say the biggest culprit here is third-party applications, which many users don't bother to update -- or even realize they need to do so. "It really is probably worse. I suspect that if only Windows patches were measured, the numbers would have been in excess of 80 percent of users being patched. But Secunia is including third-party apps, and user knowledge of the need to patch all of these is probably less than 2 percent," says Randy Abrams, director of technical education for Eset. "This is exactly why there are so many malicious programs exploiting third-party programs."

Even so, leaving some lower-profile third-party apps unpatched isn't a major risk, notes Richard Stiennon, chief research analyst at IT-Harvest. "For some it doesn't matter in the big picture...there aren't going to be any exploits," he says. "You've got to focus on updating Windows, QuickTime, Adobe, maybe iTunes, your AV signatures," and the high-profile software programs, he says. "Not everybody is getting everything patched perfectly, but the world still works."

Jakob Balle, IT development manager for Secunia, blogged yesterday that the numbers are actually "best-case" scenarios, mainly because Secunia PSI users are probably more security-minded, and that the data did show when a PSI user had been cleaned up previously and was just rescanning. PSI 1.0 is installed on 850,000 PCs worldwide, according to Secunia.

Eset's Abrams notes that while the nearly 2 percent "clean" statistic is likely a best-case when you include third-party applications, users who regularly patch probably don't use the tool. "The users who keep on top of what needs to be patched are not as likely to use Secunia's software, so they won't show up significantly in the stats," he says. "Twenty-thousand users probably has a very wide statistical margin of error when you consider the number of PCs out there, but in this case it would seem probable the error is on the side of optimism."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.