Typical Windows user patches every 5 days
75 Microsoft, third-party patch events each year are a burden most users can't bear, says Secunia
"It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching," said Thomas Kristensen, the chief security officer of Secunia. The result is that few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack.
According to Secunia, of the users who ran the company's Personal Software Inspector (PSI) the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. PSI is a free tool that scans PCs to produce a list of vulnerable software, but does not itself initiate updates. Instead, users are directed to the approprite vendor patch site. Nearly 2 million copies of the tool have been downloaded since Secunia debuted it in 2007.
After comparing the software portfolios on each machine with the bugs Secunia tracked during 2009, Secunia determined that the typical user faced nearly 300 vulnerabilities during the year, and with the number of vendors represented on the PC, had to deal with approximately 75 patch incidents annually.
That averages out to a patch action every 4.9 days.
"It surprised us that there were so many applications on the systems," said Kristensen, "and that then there were so many updates they had to do in a year." Also important, he said, was that the typical user had to master 22 different patch mechanisms, one from each of the 22 software makers whose programs were on her PC.
"That's why we called for software vendors to create a unified patching standard last year," said Kristensen, referring to a pitch Secunia made at the RSA Conference in 2009. The company's offer didn't go over well. "A few vendors said 'We want to hear more,' but a lot just ignored us or turned down the idea outright."
Rather than wait on software makers to come up with a single patch mechanism -- something unlikely in any case -- Secunia has stepped up to produce a patching tool that will eventually handle 70% to 80% of the software on consumers' Windows machines.
In the next six weeks, Secunia will release a technical preview of PSI 2.0, which will include automatic updating functionality similar to what Microsoft provides for Windows and other software. Before the end of the year, Secunia should have PSI 2.0 wrapped up. "Updating is complicated, and we need to get it out to users so they can give us feedback," said Kristensen. PSI 2.0 will be free to consumers.
PSI 2.0 is based on technology in Secunia's Corporate Software Inspector with Microsoft's Windows Server Update Services (WSUS), which entered beta in January.
"We want to promote patching," Kristensen said when asked why Secunia is expending resources on a product it's giving away. People know Microsoft's patch service, Windows Update, but that's not the only updating mechanism they have to deal with, he continued. "They have to patch Adobe software three, four times a year, and QuickTime, which is frequently exploited. That's why we think this will make a difference."
Secunia has published a white paper that details its PSI scan findings (download PDF).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Security execs express surprise over CISO's firing following RSA talk
- Security industry faces attacks it cannot stop
- Pennsylvania fires CISO over RSA talk
- Google attacks, Web 2.0 fuel FUD at RSA
- Analysis: Does the storm over cloud security mean opportunity?
- Microsoft's tax-for-hacks 'horrible' idea, say security experts
- FBI Director: Hackers have corrupted valuable data
- CISOs rain on cloud-computing parade at RSA
- FBI embeds cyber-investigators in Ukraine, Estonia
- Tweet this: Social network security is risky business
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!