Thursday, October 29, 2015

How to solve a problem like security update apathy?

The Secunia Q3 country report for the UK was published this week and makes for depressing reading. Nearly eight per cent of users have unpatched operating systems, and more than 15 percent have unpatched programs. Throw in the 5.5 per cent of end-of-life programs with no ongoing support found on your average PC and the problem of security patch apathy starts to become clear. While those numbers on their own do not sound too alarming, any vulnerable program that is unpatched serves as a gateway to the exploitation of your and other systems by hackers. Secunia uses an example whereby if 37 percent of PCs running VLC Media Player 2.x, which has a 36 percent market share, are unpatched then 13 percent of all PCs are made vulnerable by that program. Not forgetting, of course, that the same PC will likely have a bunch of other unpatched and vulnerable programs also installed. Which leaves us wondering why users are so slack when it comes to installing security patches? The report itself has a clue or two. On a typical PC, it states, users have to master 26 different update mechanisms to patch the 75 programs on it in order to remediate vulnerabilities. These comprise a single update mechanism for the 31 Microsoft programs that make up 42 per cent of the programs on the PC, and then 25 different update mechanisms to patch the remaining 44 programs (or 58 per cent) from the non-Microsoft vendors whose products are installed. We asked Kasper Lindgaard, director of research and security at Secunia, how we have got into this mess both at the application and system level?