28% of all detected applications are insecure- Secunia

[FreewheelinFrank]

Since its release in December of last year, the free, online Secunia Software Inspector has conducted over 350,000 inspections. These inspections have identified 4.9 million popular applications (as listed here), and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors.

While most people are aware of the need to update their anti-virus patterns and to raise their firewall shields, it appears that too many users either don't know that their systems are vulnerable to significant issues or that they simply don't want to spend the necessary time scouring for vulnerability information and the relevant vendor patches to properly address the issues.

This fact is further highlighted if we dig deeper into the figures behind the fact that 28% of all detected applications by the Software Inspector are vulnerable.

Comparing browsers and looking at Firefox, Opera and Internet Explorer, we found out that Firefox 2 is the least vulnerable, as only 5.19% of all Firefox 2 installations miss security updates, whereas 11.96% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively. These numbers are not that alarming and show that users are fairly concerned about applying relevant updates for their browsers – which naturally is one of the most exposed applications.

But looking at media players such as Quicktime and WinAMP, then the figures are more worrying, as 26.96% of all WinAMP 5 installations miss important security updates and 33,14% of all Quicktime 7 installations are outdated.

Most people using Windows and Microsoft products are usually aware of the monthly “Patch Tuesday” routine that Microsoft has set up, which can explain why the patch level for MS products are relatively high. These numbers also indicate that many people using Firefox and Opera are concerned about security and remember to keep their products updated.

But when it comes to other applications that don't immediately seem that exposed, people tend to wait for an extended period of time before patching.

http://secunia.com/blog/11/

Brian Krebs at Security Fix picks up the story:

Firefox Surfers More Likely Patched Than IE Users

Internet Security vendor Secunia came to that conclusion by analyzing the results of some 4.9 million programs scanned by its "software inspector" -- a free tool which can scan your PC for missing security updates for about 30 of the most commonly installed desktop applications. Secunia found that 1.4 million of those applications were lacking in critical security patches released by their respective vendors.

Comparing browsers, Secunia looked at Firefox, Internet Explorer and Opera, and found that Firefox 2 was the least vulnerable, with just 5.19 percent of all Firefox 2 installations missing security updates. In contrast, the tool found that 11.96 percent of all Opera 9.x installations were missing security updates, while the numbers for IE6 and IE7 were 9.61 percent and 5.4 percent, respectively. Since Secunia's tool is designed to scan Windows applications, it did not test how many Safari Web browser users were up to date, which is too bad.

From where I sit, this research suggests two things. One, that the auto-patching component built into Firefox 2.0 is somewhat more effective than Microsoft's approach, which gives users the option to decline updates. With Firefox 2.0, new updates are automatically installed. IE patches are disseminated along with the rest of the security updates for Windows, via whatever mechanism the user has specified -- usually either automatic updates or manually.

Secondly, it appears that while Opera fans are seemingly always quick to claim that theirs is the most secure and least-attacked of the major browsers, its user base may be a bit more complacent about applying security updates.

http://blog.washingtonpost.com/securityfix/2007/05/firefox_surfers_more_likely_pa.html#comments

[capt]

Article is interesting if you are here to read....
A link to the program is a bit more useful in my opinion.

run it on the web:
http://secunia.com/software_inspector/

or download it here:
https://psi.secunia.com/

[Dwarden]

very flawed results they must get ... they still not fixed false positives and negatives i repored to them months ago ...

it's nice application but ...

[lee16]

Nice scan to double check your upto date (although i prefere to manual check myself because I'm a geek )

However they say the old versions are insecure which of course is true, but updating the program will solve the problem.

Only two exceptions to this are Sun Java and Flash, as they don't remove the old versions of themselves on install, true is irritating, but also easy enough to uninstall them manually before an update xD

--lee

[Lusher]

I would say making sure your proggies are up to date is far far more important than obsessing over which security software is the best.

[lee16]

Can you substantiate that claim?

Surely its best to keep upto date with software and have your own preference resident scanners etc?

And i feel i must mention that if nobody ever "obsessing over which security software is the best" we would never fix exploits i the first place as everyone would be waiting for someone else to do it for them.

Just my 2 cents 

--lee

[Lusher]

Can you substantiate that claim?

It's simple logic. There are only a limited number of ways people get infected.

1. Social engineering - You are tricked into downloading and running nonsense
2. Misconfiguration of system - A subset of this would be not being patched and getting hit by zero day exploits.

These two are very different class of problems. #1 has no solution, while #2 does in theory (though there could be near infinite number of bugs).

Hence it is much more irresponsible to write a trojan and release it as compared to releasing a zero day exploit proof of concept (though both are irresponsisble to some extent without proper disclosure).

Surely its best to keep upto date with software and have your own preference resident scanners etc?

It's a matter of practicality. I'm not advocating going around naked with no security software (though that can work) but the obsession over which security software is the *best* is a waste of time. I seriously doubt there is more than maybe a dozen people on Earth who are qualified to figure out which security software is really the *best* (whatever that means) in a very limited area...

For everyone else, at best you can narrow it down to say half a dozen or dozen possible contenders, and then let your own personal preference be the guide. But fanboyism seems to grow naturally on the net, and people have to insist that *their* choice must be clearly #1 top ranked in the world.....

And i feel i must mention that if nobody ever "obsessing over which security software is the best" we would never fix exploits i the first place as everyone would be waiting for someone else to do it for them.

Actually you are wrong. There is a huge difference between fixing security vulnerability and trying to figure out which security software is the best.The former does not necessary require the later or vice versa.

Traditionally these two are very very different circles.....

In many ways, security software is trying to be the solution to an unsolvable problem. Fixing vulnerabilities is not quite the same....

[lee16]

Actually you are wrong. There is a huge difference between fixing security vulnerability and trying to figure out which security software is the best.The former does not necessary require the later or vice versa.

Traditionally these two are very very different circles.....

In many ways, security software is trying to be the solution to an unsolvable problem. Fixing vulnerabilities is not quite the same....

I think i didn't make myself clear here, there is ovulessly a big differenc between security software and fixing vulnerabilities.

But to put what i was trying to say into understandable terms; vulnerabilities wouldn't be found if people were not looking for them, and sense "bad guys" will always try to find them you mights aswell have "good guys" obsessing over security flaws to help "combat" this so to speak.


Also I liked your first comment, made a solid claim. 

I seriously doubt there is more than maybe a dozen people on Earth who are qualified to figure out which security software is really the *best* (whatever that means) in a very limited area...

I fully agreed with this, preference if part of human nature.

--lee

[Lusher]

I think i didn't make myself clear here, there is ovulessly a big differenc between security software and fixing vulnerabilities.

But to put what i was trying to say into understandable terms; vulnerabilities wouldn't be found if people were not looking for them, and sense "bad guys" will always try to find them you mights aswell have "good guys" obsessing over security flaws to help "combat" this so to speak.

As i said, "good guys" obsessing over security flaws, is a different matter compared to people obsessing over which AV can detect the most....

Also I liked your first comment, made a solid claim. 

Funny how comments you agree with you find "solid", even though I have put no more evidence to back it up then the earlier claim which you wanted backing up....

[lee16]

Funny how comments you agree with you find "solid", even though I have put no more evidence to back it up then the earlier claim which you wanted backing up....

Notice how i used the word "claim" rather then "fact" to comfirm that i saw your side of the story. 

--lee