Vulnerable Windows Machines? Shocking!

[FUD Watch with CSO Senior Editor Bill Brenner] Vulnerability clearinghouse Secunia releases new research suggesting nearly all Windows PCs are at risk. Didn't we know that already?

Bob Brenner

Vulnerability clearinghouse Secunia just released a study that will surely send Windows users -- just about everyone -- running to the corner to assume the fetal position. Or not.

You see, the Copenhagen-based security company is telling us something we more or less knew already -- that more than 98 percent of Windows computers have at least one unpatched application and nearly half have 11 or more attack-prone programs.

The company reached that conclusion after running its Personal Software Inspector (PSI) utility on machines in the past week and finding one or more applications in need of available security updates. PSI scans Windows boxes for installed applications, then compares their version numbers to the most up-to-date versions, Computerworld scribe Gregg Keizer explained in his report on the matter. If they're different, it makes a record of it and spits back a link to the security update. Secunia CTO Thomas Kristensen says more than 120,000 people have downloaded PSI in the past week, and the company randomly selected 20,000 of those installations to use as lab rats.

"Most people keep Windows up to date because it's so easy to use Windows Update," Kristensen told Keizer. "Adobe Reader and Flash and Apple QuickTime are like that, too, as are browsers. But a lot of third-party [browser] plug-ins don't have any [update mechanism] and so people don't keep them updated."

Let me clarify: This isn't a swipe at Secunia for the conclusions it reached. It's a warning that vulnerability management vendors will probably start using this research to hound potential customers. They're just doing their jobs, but busy IT security practitioners may start getting e-mails about this and lose time worrying about whether or not this is a new problem.

To any Windows-based IT shop, the findings shouldn't come as a surprise.

We've reported before that many exploits target flaws for which a fix has long been available. A recent estimate from Verizon, for example, suggested 90 percent of successful exploits these days involve vulnerabilities for which a patch has been available for six months or longer.

"For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach," Verizon says on page 15 of its 2008 Data Breach Investigations Report. "Also worthy of mention is that no breaches were caused by exploits of vulnerabilities patched within a month or less of the attack." The lesson was that a patch-deployment strategy focusing on coverage and consistency is far better at preventing data breaches than "fire drills" attempting to patch particular systems as soon as patches are released, the report noted.

Kaspersky Lab Security Evangelist Ryan Naraine made the point in one of my recent podcasts that enterprises continue to struggle with the patching upkeep.

Companies are getting better at deploying security updates for their operating systems and Web browsers. But as Naraine noted, admins and users consistently overlook available patches for the third-party media players and .PDF readers everyone is using.

So while the Secunia research is good food for thought, nobody should be stunned.

The advice from security experts remains the same: It pays to take a regular inventory of all the systems on the network and have a process to track, install and manage patches. There's no one-size-fits-all approach, but most IT administrators are smart enough to hammer out a system that works for them. About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to

Copyright © 2008 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline