Typical Windows user patches every 5 days
75 Microsoft, third-party patch events each year are a burden most users can't bear, says Secunia
"It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching," said Thomas Kristensen, the chief security officer of Secunia. The result is that few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack.
According to Secunia, of the users who ran the company's Personal Software Inspector (PSI) the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. PSI is a free tool that scans PCs to produce a list of vulnerable software, but does not itself initiate updates. Instead, users are directed to the approprite vendor patch site. Nearly 2 million copies of the tool have been downloaded since Secunia debuted it in 2007.
After comparing the software portfolios on each machine with the bugs Secunia tracked during 2009, Secunia determined that the typical user faced nearly 300 vulnerabilities during the year, and with the number of vendors represented on the PC, had to deal with approximately 75 patch incidents annually.
That averages out to a patch action every 4.9 days.
"It surprised us that there were so many applications on the systems," said Kristensen, "and that then there were so many updates they had to do in a year." Also important, he said, was that the typical user had to master 22 different patch mechanisms, one from each of the 22 software makers whose programs were on her PC.
"That's why we called for software vendors to create a unified patching standard last year," said Kristensen, referring to a pitch Secunia made at the RSA Conference in 2009. The company's offer didn't go over well. "A few vendors said 'We want to hear more,' but a lot just ignored us or turned down the idea outright."
Rather than wait on software makers to come up with a single patch mechanism -- something unlikely in any case -- Secunia has stepped up to produce a patching tool that will eventually handle 70% to 80% of the software on consumers' Windows machines.
In the next six weeks, Secunia will release a technical preview of PSI 2.0, which will include automatic updating functionality similar to what Microsoft provides for Windows and other software. Before the end of the year, Secunia should have PSI 2.0 wrapped up. "Updating is complicated, and we need to get it out to users so they can give us feedback," said Kristensen. PSI 2.0 will be free to consumers.
PSI 2.0 is based on technology in Secunia's Corporate Software Inspector with Microsoft's Windows Server Update Services (WSUS), which entered beta in January.
"We want to promote patching," Kristensen said when asked why Secunia is expending resources on a product it's giving away. People know Microsoft's patch service, Windows Update, but that's not the only updating mechanism they have to deal with, he continued. "They have to patch Adobe software three, four times a year, and QuickTime, which is frequently exploited. That's why we think this will make a difference."
Secunia has published a white paper that details its PSI scan findings (download PDF).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Security execs express surprise over CISO's firing following RSA talk
- Security industry faces attacks it cannot stop
- Pennsylvania fires CISO over RSA talk
- Google attacks, Web 2.0 fuel FUD at RSA
- Analysis: Does the storm over cloud security mean opportunity?
- Microsoft's tax-for-hacks 'horrible' idea, say security experts
- FBI Director: Hackers have corrupted valuable data
- CISOs rain on cloud-computing parade at RSA
- FBI embeds cyber-investigators in Ukraine, Estonia
- Tweet this: Social network security is risky business
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts