Typical Windows user patches every 5 days
75 Microsoft, third-party patch events each year are a burden most users can't bear, says Secunia
"It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching," said Thomas Kristensen, the chief security officer of Secunia. The result is that few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack.
According to Secunia, of the users who ran the company's Personal Software Inspector (PSI) the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. PSI is a free tool that scans PCs to produce a list of vulnerable software, but does not itself initiate updates. Instead, users are directed to the approprite vendor patch site. Nearly 2 million copies of the tool have been downloaded since Secunia debuted it in 2007.
After comparing the software portfolios on each machine with the bugs Secunia tracked during 2009, Secunia determined that the typical user faced nearly 300 vulnerabilities during the year, and with the number of vendors represented on the PC, had to deal with approximately 75 patch incidents annually.
That averages out to a patch action every 4.9 days.
"It surprised us that there were so many applications on the systems," said Kristensen, "and that then there were so many updates they had to do in a year." Also important, he said, was that the typical user had to master 22 different patch mechanisms, one from each of the 22 software makers whose programs were on her PC.
"That's why we called for software vendors to create a unified patching standard last year," said Kristensen, referring to a pitch Secunia made at the RSA Conference in 2009. The company's offer didn't go over well. "A few vendors said 'We want to hear more,' but a lot just ignored us or turned down the idea outright."
Rather than wait on software makers to come up with a single patch mechanism -- something unlikely in any case -- Secunia has stepped up to produce a patching tool that will eventually handle 70% to 80% of the software on consumers' Windows machines.
In the next six weeks, Secunia will release a technical preview of PSI 2.0, which will include automatic updating functionality similar to what Microsoft provides for Windows and other software. Before the end of the year, Secunia should have PSI 2.0 wrapped up. "Updating is complicated, and we need to get it out to users so they can give us feedback," said Kristensen. PSI 2.0 will be free to consumers.
PSI 2.0 is based on technology in Secunia's Corporate Software Inspector with Microsoft's Windows Server Update Services (WSUS), which entered beta in January.
"We want to promote patching," Kristensen said when asked why Secunia is expending resources on a product it's giving away. People know Microsoft's patch service, Windows Update, but that's not the only updating mechanism they have to deal with, he continued. "They have to patch Adobe software three, four times a year, and QuickTime, which is frequently exploited. That's why we think this will make a difference."
Secunia has published a white paper that details its PSI scan findings (download PDF).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Security execs express surprise over CISO's firing following RSA talk
- Security industry faces attacks it cannot stop
- Pennsylvania fires CISO over RSA talk
- Google attacks, Web 2.0 fuel FUD at RSA
- Analysis: Does the storm over cloud security mean opportunity?
- Microsoft's tax-for-hacks 'horrible' idea, say security experts
- FBI Director: Hackers have corrupted valuable data
- CISOs rain on cloud-computing parade at RSA
- FBI embeds cyber-investigators in Ukraine, Estonia
- Tweet this: Social network security is risky business
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!