Third-party software bugs skyrocket in 2010

Lack of auto-patching tools leaves Windows users vulnerable to attack, says Secunia

1 2 Page 2
Page 2 of 2

The rising tide of vulnerabilities in third-party programs leaves users confused or worse, said Frei. "From the end-user's perspective, it adds lots of additional complexity, and makes the management of a PC that much harder," he said.

Most software makers don't make an effort to keep users safe, Frei argued, pointing out the dearth of automatic updating mechanisms like Microsoft's Windows Update. There are some exceptions -- Google, Mozilla and Adobe, which recently offered hands-off patching -- but for the most part, users have to scramble themselves to dig up and download fixes.

Which leaves most Windows machines vulnerable to attack.

"The best ways to reduce the risk...would be reducing the number of vulnerabilities and the window of opportunity to exploit vulnerabilities," said Frei in his report. "Sadly, data from more than a decade shows that the industry has proved unable to reduce the number of vulnerabilities discovered in their products, and there is little hope that this will change substantially in the years ahead."

With bug counts unlikely to shrink, users need a way to "readily install patches and thereby reduce the window of opportunity for criminals," Frei continued.

Along those lines, Secunia is working on an update to PSI, dubbed PSI 2.0, that will automatically fetch security patches from some 3,000 software vendors. PSI 2.0 was released as a "technical preview" last month, and will ship in final form before the end of the year, said Frei.

"It will automate the download and installation of the different third-party installation programs," Frei said. "It will either do it all automatically, or if the user wants, in a manual mode that says, 'Okay, here's the update, do you want it?'"

PSI 2.0's preview can be downloaded from Secunia's site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon