Are you patched? Interesting statistics from Secunia Software Inspector

So, are you patched?  Secunia have released statistics harvested via their new Software Inspector that make interesting reading:
http://secunia.com/blog/4/

Synopsis:

Of the 400,000 detected applications, over 35% were insecure versions. In particular, Secunia have revealed that:

  1. 4.12% of IE6 users were insecure.
  2. 35.47% of Firefox users were running vulnerable versions.
  3. 13.04% of Opera users are unpatched.
  4. 53% of Flash 9x users are running vulnerable versions. 
  5. 6.8% of Skype users are insecure.

The results for Firefox are worrying.  Firefox introduced an auto-update mechanism several versions ago, but it seems that far too many FF users are either running versions that do not have the mechanism, or are not updating (whether it be because they've turned the feature off, their firewall is interfering or the browser is installed but is not being used).

It is unfortunate that the statistics don't include Sun Java, which does not remove old versions when updated.   Up until version 1.5.6 of Sun Java (I think) malware was able to use old, vulnerable versions of Sun Java to infect systems, even if newer versions were installed, and even now old versions can be called under limited circumstances.

The Flash results are worrying.  Macromedia, when it is updated, does not remove old, vulnerable files that are installed.  On some systems I have tested I have found up to three different versions of Flash still installed.  That being said, the existance of flash*.ocx on a system does not necessarily mean that the bad guys can access the file - does anybody know if old versions of Flash can be used by bad guys if later versions are installed (as is/was the case with Sun Java)?

The very low number of vulnerable IE6 users highlights how important, and effective, services such as Microsoft and Windows Update, Automatic Update, WSUS/SMS/SUS are.  Sometimes I wonder if it would be a good idea for Microsoft to offer third party vendors the opportunity to distribute their updates via AU, or at least alert users of AU to the existence of a security update for a third party product.  Services such as Secunia's Software Inspector are an excellent service, but people need to know about them to use them. 

I'd like to encourage Web site owners who have home users as their primary readership to publicise the Secunia service on their sites and blogs.

Published Sun, Dec 17 2006 9:38 by sandi