Secunia: Third-party apps remain security weak point

Microsoft is still burdened with a bad reputation among users for security, although figures show its products are more secure than most on a person’s computer, according to new data from the Danish security vendor Secunia.

The number of vulnerabilities in software commonly found on PCs shot up by an astounding 71 percent between 2009 and 2010, mostly due to problems in third-party applications rather than in the Windows OS or Microsoft apps, said Stefan Frei, research analyst director for Secunia. The company released its annual vulnerability report on Tuesday.

“When we dig deeper we find the main contributor is not vulnerabilities in Microsoft products but vulnerabilities in third-party products,” Frei said. “Traditionally we still perceive Microsoft programs and the Microsoft operating system to be the main culprit, the main threat. However, this has changed.”

For its report, Secunia used data from its Personal Software Inspector (PSI) application, which analyzes PCs to see if the installed programs have the latest patches. The PSI has been installed on more than 3 million computers.

Of the top 50 most commonly installed software products, 26 were made by Microsoft and 24 other applications came from a total of 14 third-party vendors, Frei said. In 2010, users had about four times more vulnerabilities in the third-party vendor products than in the Microsoft applications.

The main reason is that Microsoft’s patching mechanism is easy for users, Frei said. But the other vendors all use different systems for updating their software. Only a few use auto-update mechanisms similar to Microsoft, where users can choose to have patches automatically installed.

The lack of a common update program among all vendors creates a big opportunity for cybercriminals seeking to exploit computers with out-of-date applications, Frei said.

“There is a huge delay from the point in time when vulnerabilities are discovered and details reach the criminals, before end-users and corporate security teams actually deploy the appropriate security updates,” according to the report.

The situation is unlikely to be resolved any time soon, although Secunia has emphasized the problem at security conferences, Frei said. Smaller companies have fewer resources to dedicate to building an automated update feature into their products, he said.

“Users with the average software portfolio installed on their PCs will need to master around 14 different update mechanisms from individual vendors to update their programs and keep their IT systems protected against vulnerabilities,” according to the report. “Typical users are either unaware, or simply overwhelmed by the complexity and frequency of the actions required to keep the dozens of third-party programs found on a typical end-point system.”

Secunia built its own auto-update program. The company’s PSI 2.0 will auto-update many products with the latest patches, Frei said. PSI is free, and Secunia sells a corporate version of the product called the Corporate Software Inspector.

One of the companies that has improved dramatically is Adobe Systems, hammered a couple of years ago by the discovery of many vulnerabilities in its Reader and Flash products, Frei said. Adobe has an auto-update mechanism for Reader, Acrobat and Flash.

In November, Adobe introduced a sandbox in its Reader X product, which seals the application off from attacks designed to tamper with, for example, a computer’s file system or registry. Frei said it is too soon to say how that has affected the product’s security.