This morning, I read Ed Bott’s latest (Bott is a favorite of mine) – If your PC picks up a virus, whose fault is it? Here’s a summary –
Want to avoid being attacked by viruses and other malware? Two recent studies reveal the secret: regular patching. A fully patched system with a firewall enabled offers almost complete protection against drive-by attacks and outside intruders.
While reading through Bott’s article, I was certainly put in mind of Yogi Berra’s often quoted “This is like deja vu all over again.” Current Internet security, and the best practices associated with it, really is “deja vu all over again” – and over, and over, and over. The fundamentals haven’t changed. Common sense is as much in vogue now, as it ever was.
In his article (which is worth a read), Bott relies on two recently released studies to bolster his point, that staying safe online, begins with “regular patching …….. the single most important element in any security program”.
Since the underlying theme is something I hammer on here, on a regular basis, it goes without saying that I agree with Bott, and the data generated in the studies. With that in mind, I’m reposting an article which I wrote in July 2010 – If You Get A Malware Infection Who’s Fault Is It Really? – which underscores the importance of patching not only the operating system, but the often neglected patching of installed applications.
If You Get A Malware Infection Who’s Fault Is It Really?
The security industry, especially security analysts, and for that matter, computer users at large, love to dump on Microsoft when they get a malware infection. If only Microsoft got their act together, the theory goes, and hardened Windows more appropriately, we wouldn’t have to deal with this nonsense.
But, what if it isn’t entirely Microsoft’s fault? What if it’s really a shared responsibility split between Microsoft, third party software developers, and the user?
From time to time, I’m accused of being “too frank”; usually on those occasions when diplomacy needs to be put aside, so that realities can be dealt with. For example, I’ve left myself open to criticism, in some quarters, by stating on more than one occasion –
It has been my experience, that when a malware infection occurs, it’s generally safe to say, the user is, more often than not, responsible for their own misfortune.
Computer users, by and large, are lackadaisical in securing their computers against threats to their Internet safety and security.
Strong statements I’ll admit, but if you consider the following, which I have repeated over and over, you’ll understand why I feel comfortable making this statement.
Not all users make use of Microsoft’s Windows Update so that they are current with operating system critical updates, and security fixes. More to the point, few users have given consideration to the vulnerabilities that exist in third party productivity applications and utilities.
Unless you monitor your system for insecure and unpatched software installations, you have left a huge gap in your defenses – it’s just plain common sense.
The just released Secunia Half Year Report – 2010, shows “an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored”, supports my view that security is a shared responsible, and blaming Microsoft simply ignores the reality.
The report goes on to conclude, “users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals.”
Key highlights of the Secunia Half Year Report 2010:
Since 2005, no significant up-, or downward trend in the total number of vulnerabilities in the more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.
A group of ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco, account on average for 38 percent of all vulnerabilities disclosed per year.
In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010, to 760.
During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.
A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.
The full report (PDF), is available here.
Each week, I receive the Qualys Vulnerability Report, and I never fail to be astonished by the huge number of application vulnerabilities listed in this report. I’ve always felt, that the software industry should thank their “lucky stars”, that this report is not particularly well known outside the professional IT security community. It’s that scary.
There is a solution to this quandary however – the Secunia Personal Software Inspector (PSI).
PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available.
ZD Net, one of my favorite web sites has stated “Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine”. In my view, this is not an overstatement.
Installing this small free application will definitely assist you in identifying possible security leaks; give it a try.
The Secunia PSI is free for private use.
Downloaded over 800,000 times
Allows you to secure your PC – Patch your applications – Be proactive
Scans for Insecure and End-of-Life applications
Verifies that all Microsoft patches are applied
Tracks your patch-performance week by week
Direct and easy access to security patches.
Detects more than 300,000 unique application versions
Provides a detailed report of missing security related updates
Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.
Provides a Toolbox offering a set of links which helps you assess a problem and how you can resolve it.
System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7 32/64bit.
Download at: Secunia
Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.
System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7 32/64bit.
Link: Secunia Online Software Inspector
As an added bonus for users, Secunia provides a forum where PSI users can discuss patching, product updates, exploits, the PSI, and anything else security-related.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
8 responses to “Avoid Accidents On The Internet Highway By Patching Your OS AND Applications”
It’s a good reminder this article. Too many people don’t take this issue seriously enough. Windows Automatic Updates can sometimes be a bit slow in advising of patches (in my experience anyway), so Secunia is a good way to check for Windows updates too (apart from going to the Microsoft update site and checking).
Repetition, Repetition, Repetition – maybe some of it will stick. Maybe! 🙂
To the author of Billmullins Blog.My blog is Techtimely.wordpress.com
i am interested in your blog news and a daily visitor.i have cretaed a back link to your blog as my blogroll ,you can check it in my home page under “blogroll widget”. In turn could you link back my blog with your blogroll links?
Sure – no problem.
You’re quite right Bill.
Keep banging on the message.
Thanks for the support – much appreciated.
“Not all users make use of Microsoft’s Windows Update so that they are current with operating system critical updates, and security fixes.”
I get proof of this every week, I have PC’s that come in all the time lacking major updates. I still see XP machines running SP1 or 2, and Vista machines lacking even SP1. Even more amusing? The tray notification and popups advising of available updates that has to have been announcing this fact for years. I have zero doubts that the average user just doesn’t care.
It’s sad isn’t it? Totally agree with your assessment that – “average user just doesn’t care”.
As a professional, who would know this better than you.
As always, good to get your input on these issues.