IDG News Service - Microsoft is still burdened with a bad reputation among users for security, although figures show its products are more secure than most on a person's computer, according to new data from the Danish security vendor Secunia.
The number of vulnerabilities in software commonly found on PCs shot up by an astounding 71% between 2009 and 2010, mostly due to problems in third-party applications rather than in the Windows OS or Microsoft apps, said Stefan Frei, research analyst director for Secunia. The company released its annual vulnerability report on Tuesday.
"When we dig deeper we find the main contributor is not vulnerabilities in Microsoft products but vulnerabilities in third-party products," Frei said. "Traditionally we still perceive Microsoft programs and the Microsoft operating system to be the main culprit, the main threat. However, this has changed."
For its report, Secunia used data from its Personal Software Inspector (PSI) application, which analyzes PCs to see if the installed programs have the latest patches. The PSI has been installed on more than 3 million computers.
Of the top 50 most commonly installed software products, 26 were made by Microsoft and 24 other applications came from a total of 14 third-party vendors, Frei said. In 2010, users had about four times more vulnerabilities in the third-party vendor products than in the Microsoft applications.
The main reason is that Microsoft's patching mechanism is easy for users, Frei said. But the other vendors all use different systems for updating their software. Only a few use auto-update mechanisms similar to Microsoft, where users can choose to have patches automatically installed.
The lack of a common update program among all vendors creates a big opportunity for cybercriminals seeking to exploit computers with out-of-date applications, Frei said.
"There is a huge delay from the point in time when vulnerabilities are discovered and details reach the criminals, before end-users and corporate security teams actually deploy the appropriate security updates," according to the report.
The situation is unlikely to be resolved any time soon, although Secunia has emphasized the problem at security conferences, Frei said. Smaller companies have fewer resources to dedicate to building an automated update feature into their products, he said.
"Users with the average software portfolio installed on their PCs will need to master around 14 different update mechanisms from individual vendors to update their programs and keep their IT systems protected against vulnerabilities," according to the report. "Typical users are either unaware, or simply overwhelmed by the complexity and frequency of the actions required to keep the dozens of third-party programs found on a typical end-point system."
Secunia built its own auto-update program. The company's PSI 2.0 will auto-update many products with the latest patches, Frei said. PSI is free, and Secunia sells a corporate version of the product called the Corporate Software Inspector.
One of the companies that has improved dramatically is Adobe Systems, hammered a couple of years ago by the discovery of many vulnerabilities in its Reader and Flash products, Frei said. Adobe has an auto-update mechanism for Reader, Acrobat and Flash.
In November, Adobe introduced a sandbox in its Reader X product, which seals the application off from attacks designed to tamper with, for example, a computer's file system or registry. Frei said it is too soon to say how that has affected the product's security.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts