Since its release in December of last year, the free, online Secunia Software Inspector has conducted over 350,000 inspections. These inspections have identified 4.9 million popular applications (as listed here
), and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors.
While most people are aware of the need to update their anti-virus patterns and to raise their firewall shields, it appears that too many users either don't know that their systems are vulnerable to significant issues or that they simply don't want to spend the necessary time scouring for vulnerability information and the relevant vendor patches to properly address the issues.
This fact is further highlighted if we dig deeper into the figures behind the fact that 28% of all detected applications by the Software Inspector are vulnerable.
Comparing browsers and looking at Firefox, Opera and Internet Explorer, we found out that Firefox 2 is the least vulnerable, as only 5.19% of all Firefox 2 installations miss security updates, whereas 11.96% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively. These numbers are not that alarming and show that users are fairly concerned about applying relevant updates for their browsers – which naturally is one of the most exposed applications.
But looking at media players such as Quicktime and WinAMP, then the figures are more worrying, as 26.96% of all WinAMP 5 installations miss important security updates and 33,14% of all Quicktime 7 installations are outdated.
Most people using Windows and Microsoft products are usually aware of the monthly “Patch Tuesday” routine that Microsoft has set up, which can explain why the patch level for MS products are relatively high. These numbers also indicate that many people using Firefox and Opera are concerned about security and remember to keep their products updated.
But when it comes to other applications that don't immediately seem that exposed, people tend to wait for an extended period of time before patching.
This constitutes a significant problem because many of those applications, like WinAMP and Quicktime, are readily used whenever users encounter media files of various kinds. Most people wouldn't hesitate to open an .mpg, .jpg, .mov, or .mp3 file from any source if it seems the least bit interesting and relevant. It's easy to embed a movie in your homepage, for example, and all it takes is one unpatched Quicktime vulnerability and a provocative video title to compromise a lot of visitors.
Comparing this with the figures we have for corporate environments, there isn't much of a difference, though the vulnerable applications tend to be more business-like in nature, exploiting flaws in enterprise software and devices rather than media players. However, the overall picture is the same: the operating systems, browsers, and Microsoft applications in general appear to be updated fairly regularly. But all other applications seem to be forgotten, or receive too low a priority given the severity of the issues, and the fact is that exploits are available for a great deal of them. Not to mention that corporations have much more to lose than just their credit card details; there's client lists, design blueprints, employee information, and more at stake.
The need for tools to provide proper and exact information about which security updates are missing on both private PCs and corporate networks seem to be critical.
For half a year the Secunia Software Inspector has been available free of charge, with the purpose of highlighting the most important and common security issues in the most common user-end applications. This approach is fine for private individuals with a one or two PCs but for the network administrators with multiple systems this approach isn't feasible.
To help companies Secunia has developed a new tool called the Secunia Network Software Inspector (NSI). For the last 3 weeks this has been available in a public BETA for corporate users. A total of more than 1,600 IT administrators from all over the world, from small and medium businesses to global corporations, have tested it.
The Secunia NSI can be deployed from a central server and configured to inspect multiple machines in a network. It is also capable of identifying more than 4,000 unique applications, down to the specific version number and patch level, as well as which applications are missing security updates and which ones have reached end-of-life. The feedback of the beta testing has been overwhelmingly positive, and we are grateful to all the BETA testers who participated in this event.
The Secunia NSI is now available for corporate users in a full version. For more information please see:
The Secunia Software Inspector is still available FREE of charge in an easy to use Java version. It is continuously updated with new signatures to identify the latest versions and missing patches for over 40 popular applications:
IT Development Manager