Security researchers at Secunia published an eye-opening report in a blog post today, saying in the note that based on their observations, less than 2 percent of all active Windows PCs are fully patched against known security vulnerabilities.
Cripes! We’ve been hearing for years that being fully patched is fairly unrealistic, but less than 2 percent, that’s truly terrible stuff, especially when you consider that many of the near 800,000 respondents to Secunia’s research project likely work at organizations that have spent a good deal of time, effort and money attempting to stay abreast of new advisories. Consumers are obviously far less likely to keep up with everything that gets reported.
Secunia arrived at the figure via data streamed back from its PSI application, which it has been distributing to end users at no cost for more than a year. The application specifically promises to allow users to “map, patch and secure the programs installed on their PCs.”
And in fact, Secunia estimates that its results error on the positive side of things, as people who have gone through the trouble of finding and downloading the tool are obviously more concerned about security issues than their peers who have not. Thus, if you tested the unwashed masses, the final tally would likely be even lower.
The research and services specialists qualified their deductions by defining machines with “insecure” or un-patched applications as those running out-of-date programs that have newer iterations that included security patches.
Out of a sample group of roughly 20,000 randomly selected participants, the company found that:
-1.91 percent of all PCs were fully up to snuff -30.27 percent had 1-5 out of date applications -25.07 percent had between 6-10 potentially vulnerable programs -45.76 percent had 11 or more problematic applications
Secunia thus warns:
“A vulnerability in a program can be exploited by hackers to anything from compromising a PC, to automatically install Trojans/viruses, to sniff out private information (passwords, credit cards information, etc.). And remember, your anti-virus will not protect you from the security threats of vulnerabilities in programs!”
That’s a key point that a lot of end users, even business users, likely forget about. Non-behavioral AV only looks for the attacks that it has been programmed to look for, not those that are designed to go after specific vulnerabilities, in particular the nastiest drive-by and zero day stuff.
So, as security experts have been telling people for a long time, patch your systems or compute at your own risk!
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.