Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/4/2008
03:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Secunia: Less Than 2 Percent Of PCs Are Fully Patched, Protected

More than 45 percent have in excess of 10 insecure applications running on their machines

Fewer than 2 percent of Windows PCs are fully patched with updated and secured software, according to new data gathered by Secunia.

Secunia gathered data during the past week from 20,000 new users (mostly consumers) of its free Secunia PSI 1.0 vulnerability scanner and found that 98.09 percent of them had one or more insecure software programs installed on their systems. That means the machine didn't have the latest version of the software that had fixed one or more vulnerabilities, according to Secunia.

Why such a grim outcome? "There are two reasons: The primary is that we've reached a broader audience who are not aware of the need for patching. Even those who do patch only patch the most obvious things, like the operating system, their browsers, media players, and perhaps instant messaging programs," says Thomas Kristensen, CTO of Secunia. "Another reason may be that no matter how thorough you are in a manual process, you are bound to miss a few programs simply because they aren't listed in the Add/Remove programs in the Control Panel."

According to Secunia, 30.27 percent of users had one to five insecure programs on their machine, 25.07 percent had six to 10, and 45.76 percent had 11 or more insecure software programs running on their machines.

Security experts say the biggest culprit here is third-party applications, which many users don't bother to update -- or even realize they need to do so. "It really is probably worse. I suspect that if only Windows patches were measured, the numbers would have been in excess of 80 percent of users being patched. But Secunia is including third-party apps, and user knowledge of the need to patch all of these is probably less than 2 percent," says Randy Abrams, director of technical education for Eset. "This is exactly why there are so many malicious programs exploiting third-party programs."

Even so, leaving some lower-profile third-party apps unpatched isn't a major risk, notes Richard Stiennon, chief research analyst at IT-Harvest. "For some it doesn't matter in the big picture...there aren't going to be any exploits," he says. "You've got to focus on updating Windows, QuickTime, Adobe, maybe iTunes, your AV signatures," and the high-profile software programs, he says. "Not everybody is getting everything patched perfectly, but the world still works."

Jakob Balle, IT development manager for Secunia, blogged yesterday that the numbers are actually "best-case" scenarios, mainly because Secunia PSI users are probably more security-minded, and that the data did show when a PSI user had been cleaned up previously and was just rescanning. PSI 1.0 is installed on 850,000 PCs worldwide, according to Secunia.

Eset's Abrams notes that while the nearly 2 percent "clean" statistic is likely a best-case when you include third-party applications, users who regularly patch probably don't use the tool. "The users who keep on top of what needs to be patched are not as likely to use Secunia's software, so they won't show up significantly in the stats," he says. "Twenty-thousand users probably has a very wide statistical margin of error when you consider the number of PCs out there, but in this case it would seem probable the error is on the side of optimism."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9027
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9028
PUBLISHED: 2020-02-17
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).