The latest in user security metrics shows that only five percent of surveyed systems were fully up to date, with all applications patched and running the latest versions.
Even more disconcerting, that number is down from where it was when the firm first started doing examinations.
Secunia, the Danish security firm posted a free utility called Secunia Personal Software Inspector (PSI) in December 2006. The first report on user findings came in May 2007, when it reported 28 percent of all applications scanned by PSI were not secure, meaning they were older versions or there were security fixes available for the application that had yet to be installed.
In December, the company reported that 20 percent of applications scanned by PSI were not secure. One month later, with a year of collected data from the most recent 20,000 users to download Secunia PSI, the company found that just five percent of the computers scanned were fully patched and up to date.
Twenty seven percent had between one and five insecure applications, 25 percent had between six and 10 insecure apps, and 41 percent of computers scanned had 11 or more out of date, old or unpatched applications.
Thomas Kristensen, CTO of Secunia, says the software vendors should be more aggressive about telling users about these new versions. “The major problem here is nobody knows there is a security update,” he told InternetNews.com. “No one knows there’s an update for Opera or OpenOffice. Very few apps are like Firefox, which pops up a window and says there’s a new version available, would you like to upgrade?”
The only way people would know about security patches is by going to advisory sites like Secunia’s or each application vendor they use, and most users probably don’t care to do that.
He also said firms have to get better about handling upgrades. He lauded Adobe for changing its installer policy with the Acrobat Reader. Previously, when a new version was installed, it left the older versions. Recently, however, Acrobat Reader began removing traces of previous versions on installation.
Sun, however, was singled out for leaving multiple versions of the Java Runtime Environment (JRE) and Java 2 Standard Edition (J2SE) installs on a computer. “Sun ought to do a much better job of informing users of what’s happening and they ought to clean up the old versions unless it’s required for compatibility issues,” said Kristensen. “It really is unnecessary to leave three, five, seven versions of Sun software on a computer.”
Bill Curci, Java SE product marketing manager at Sun, said in an e-mail to InternetNews.com that Sun leaves multiple versions of Java on a user’s computer because the installed “does not assume that installing the latest release implies that users want all other versions removed from their computers.” He added that Java always uses the newest version installed on the computer, and that consumers can remove older versions of Java through the Control Panel.
Secunia PSI can be configured to run constantly, or it can be run manually when the user wants, like Windows Update. Kristensen said once a month is enough to keep a computer up to date. “I would be very happy if people would do this on Patch Tuesday. People should make a habit of regular maintenance like you do for your car. Do a Windows Update, run PSI, check to see your antivirus program is still updating. For most users that would be sufficient,” he said.
PSI is a free download. Secunia charges a fee for the network version of the product, Secunia NSI. Whereas PSI is for individual systems, NSI is run from a central console to monitor all of the Windows computers on the network.