Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

Secunia: Less Than 2 Percent Of PCs Are Fully Patched, Protected

More than 45 percent have in excess of 10 insecure applications running on their machines

Fewer than 2 percent of Windows PCs are fully patched with updated and secured software, according to new data gathered by Secunia.

Secunia gathered data during the past week from 20,000 new users (mostly consumers) of its free Secunia PSI 1.0 vulnerability scanner and found that 98.09 percent of them had one or more insecure software programs installed on their systems. That means the machine didn't have the latest version of the software that had fixed one or more vulnerabilities, according to Secunia.

Why such a grim outcome? "There are two reasons: The primary is that we've reached a broader audience who are not aware of the need for patching. Even those who do patch only patch the most obvious things, like the operating system, their browsers, media players, and perhaps instant messaging programs," says Thomas Kristensen, CTO of Secunia. "Another reason may be that no matter how thorough you are in a manual process, you are bound to miss a few programs simply because they aren't listed in the Add/Remove programs in the Control Panel."

According to Secunia, 30.27 percent of users had one to five insecure programs on their machine, 25.07 percent had six to 10, and 45.76 percent had 11 or more insecure software programs running on their machines.

Security experts say the biggest culprit here is third-party applications, which many users don't bother to update -- or even realize they need to do so. "It really is probably worse. I suspect that if only Windows patches were measured, the numbers would have been in excess of 80 percent of users being patched. But Secunia is including third-party apps, and user knowledge of the need to patch all of these is probably less than 2 percent," says Randy Abrams, director of technical education for Eset. "This is exactly why there are so many malicious programs exploiting third-party programs."

Even so, leaving some lower-profile third-party apps unpatched isn't a major risk, notes Richard Stiennon, chief research analyst at IT-Harvest. "For some it doesn't matter in the big picture...there aren't going to be any exploits," he says. "You've got to focus on updating Windows, QuickTime, Adobe, maybe iTunes, your AV signatures," and the high-profile software programs, he says. "Not everybody is getting everything patched perfectly, but the world still works."

Jakob Balle, IT development manager for Secunia, blogged yesterday that the numbers are actually "best-case" scenarios, mainly because Secunia PSI users are probably more security-minded, and that the data did show when a PSI user had been cleaned up previously and was just rescanning. PSI 1.0 is installed on 850,000 PCs worldwide, according to Secunia.

Eset's Abrams notes that while the nearly 2 percent "clean" statistic is likely a best-case when you include third-party applications, users who regularly patch probably don't use the tool. "The users who keep on top of what needs to be patched are not as likely to use Secunia's software, so they won't show up significantly in the stats," he says. "Twenty-thousand users probably has a very wide statistical margin of error when you consider the number of PCs out there, but in this case it would seem probable the error is on the side of optimism."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.