Mar 10

Yep, There’s a Patch for That

The average Microsoft Windows user has software from 22 vendors on her PC, and needs to install a new security update roughly every five days in order to use these programs safely, according to an insightful new study released this week.

The figures come from security research firm Secunia, which looked at data gathered from more than two million users of its free Personal Software Inspector tool. The PSI is designed to alert users about outdated and insecure software that may be running on their machines, and it is an excellent application that I have recommended on several occasions.

Stefan Frei, Secunia’s research analyst director, said the company found that about 50 percent of PSI users have more than 66 programs of installed.

“Those programs come from more than 22 vendors, so as a first order estimate the number of different vendors you have on your box is the number of different update mechanisms you have to master,” Frei said. “This is doomed to fail.”

Secunia chief security officer Thomas Kristensen said his company is just a few months away from releasing a free, new tool that will automate the installation of software updates for dozens of commonly-installed third party programs. Kristensen said the tool will allow users to exclude certain applications, in the event that they don’t want to automatically update specific programs.

Such an application, if done right, broadly adopted, and not resisted by third-party software vendors, could well reduce the number of Windows users whose machines get trashed by drive-by downloads, as all of these malicious or hacked sites try to silently install malware by targeting security holes in third-party software, such as Flash and Adobe Reader.

If I seem excited about the availability of a free meta-patching tool, it’s probably partly for selfish reasons. Such a tool would almost certainly spell relief for anyone who is unlucky enough to be the appointed tech support guy for their family and friends, since fewer vulnerable applications means fewer compromised PCs, and hopefully less frequent pitiful pleas for help.

A copy of the Secunia study is available here (.pdf)

Tags: , , ,


  1. If you do a google for that exact phrase, you will find many references to Thomas as the source. I suspect some of them are simply typos or misquotes; but really are we so anal that we REALLY care!!?

    I’d say the subject at hand is more important, than a bunch of stuffy English teachers!

    Language is not a set thing, it is dynamic; who would have thought “Google” would be a verb, just a few years ago?

    • I stand corrected on the attribution, then. And no, I don’t care that much, and I’m feeling increasingly uncomfortable to have so derailed the topic. I shoulda known better, and I’m sorry.

      I completely agree that keeping our machines secure and up to date is the important thing here. I’m playing with the “OSI” on their site: just started it running, and I’m interested in what it finds.

      And yeah: I always thought it’d be “Yahooing”. Or even “Archieing”, back before the web.

      • Thank you for your participation here Dewi! I’m sure we all look forward to future discussions with you! We all love IT here! :)

        It is the nature of almost all IT people to be exacting in every detail, in which I’m sure you have the highest skills! If you are not in that venerable profession, you would be exceedingly proficient at it, by all my best estimates.

        • Thank you!

          I guess my codemonkey trade shows a tad. My current official job title as listed in credits is “Senior Monkey Button Pusher”: a jab at a previous job where we were all considered “junior monkey button pushers”.

          I was interested that there were differences between Secunia’s OSI, PSI and the Firefox plugin check at http://www.mozilla.com/en-US/plugincheck/ – I guess because one’s working off versions reported in Javascript, and one is looking at the exes. Or maybe one only lists security updates, and one only lists major point updates.

          OSI and Mozilla both found three outdated apps, PSI found four, but they all only agreed on one: Flash.

          Still not *hugely* impressed, though: I’ve got a good few hundred apps accreted over the years, I’d expect it to find more than four outdated. It’d also be nice to see which apps it’d detected, so I’d know which ones I’d need to check manually.

          Still cool though.

          • Ah, the PSI has an “advanced” mode, which shows everything I wanted, and everything I didn’t know I wanted, and also finds many more apps. Yay!

  2. In advanced mode you can also submit files you think should be added to their watch list, and they encourage it! There is really nothing quite like if for security professionals.