Secunia's free Personal Software Inspector tool checks all the software on your PC, identifies any programs that need updates, and helps you apply those updates. The company also gathers stats on vulnerabilities and publishes a yearly report. At the RSA Conference, Secunia's CEO Peter Colsted and CTO Morten Stengaard went over the latest report with me.
"Overall, the majority of vulnerabilities are still in third-party programs," said Stengaard. "The total number is increasing, with over 13,000 new ones in 2013 compared to an average of around 9,000 in previous years. The big increase is primarily driven by IBM. It's still a huge problem, with over 2,000 vulnerable products."
Stengaard noted that among the top 50 most commonly seen vulnerabilities, the most prevalent are non-Microsoft programs, even though the number of affected Microsoft programs is large. "Microsoft products are fairly well covered," said Stengaard, "and people do tend to update." (A recent study did show that keeping Windows patched is an important element of any security strategy).
The report clearly shows vastly more vulnerabilities in the most popular browsers and PDF readers than in off-brands. "You can use whatever product you want, as long as you patch," said Colsted. "If you know you're not going to patch, you're better off using a less common program."
Change in Attitude
"We're seeing a new strategy in enterprises," said Stengaard. "Instad of putting a patch through heavy testing before deploying it, they're rolling out patches as they appear, with an option to roll back if the patch causes trouble."
The old test-first strategy is based on the idea that a patch might do harm; I asked how long since the last "bad patch." Stengaard replied, "In reality it's been years since a Microsoft patch broke anythying. Same with many third-party apps. Our clients are feeling more secure."
Mobile Tracking
Secunia released an Android version of PSI last year, but the data isn't yet complete enough to merit an Android-specific report. "Malware is so easy on Android," said Stengaard, "there's just no incentive to pursue vulnerabilities. The few that exist target the usual suspects—always-installed items like browsers and PDF readers. We predicted an increase this past year, but it hasn't come yet."
The company is considering an iOS edition as well. "Many more of our customers are asking for iOS support," said Stengaard. "It's there, it's in the company, so they want to track it."
People Don't Patch
"To summarize our results this year," said Colsted, "the presence of security vulnerabilities is an increasing issue. It's not going away. And people just don't patch, that's a continuing issue. Adobe Reader, Java, Flash, browsers, they continue to have problems."
"People really need to do their patching," he said. "Either set it up automatically or do it manually. It's like when antivirus was new; it took a while for people to realize it's a necessity. Now the real problem is security vulnerabilities. Patching those is exactly parallel to keeping antivirus protection working."
"If you really aren't going to patch," concluded Colsted, "then you should choose a little-known program rather than the popular big names." The folks at Opera and Foxit Reader will surely be glad to hear that. You can view the full report on Secunia's website.
Like What You're Reading?
This newsletter may contain advertising, deals, or affiliate links. By clicking the button, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters