navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab
Blog
News
Articles

28% of all detected applications are insecure

Get this blog as an RSS Feed
Since its release in December of last year, the free, online Secunia Software Inspector has conducted over 350,000 inspections. These inspections have identified 4.9 million popular applications, and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors.
13:36 CET on the 16th May 2007
Entry written by Jakob Balle.

Since its release in December of last year, the free, online Secunia Software Inspector has conducted over 350,000 inspections. These inspections have identified 4.9 million popular applications (as listed here), and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors.

While most people are aware of the need to update their anti-virus patterns and to raise their firewall shields, it appears that too many users either don't know that their systems are vulnerable to significant issues or that they simply don't want to spend the necessary time scouring for vulnerability information and the relevant vendor patches to properly address the issues.

This fact is further highlighted if we dig deeper into the figures behind the fact that 28% of all detected applications by the Software Inspector are vulnerable.

Comparing browsers and looking at Firefox, Opera and Internet Explorer, we found out that Firefox 2 is the least vulnerable, as only 5.19% of all Firefox 2 installations miss security updates, whereas 11.96% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively. These numbers are not that alarming and show that users are fairly concerned about applying relevant updates for their browsers – which naturally is one of the most exposed applications.

But looking at media players such as Quicktime and WinAMP, then the figures are more worrying, as 26.96% of all WinAMP 5 installations miss important security updates and 33,14% of all Quicktime 7 installations are outdated.

Most people using Windows and Microsoft products are usually aware of the monthly “Patch Tuesday” routine that Microsoft has set up, which can explain why the patch level for MS products are relatively high. These numbers also indicate that many people using Firefox and Opera are concerned about security and remember to keep their products updated.

But when it comes to other applications that don't immediately seem that exposed, people tend to wait for an extended period of time before patching.

This constitutes a significant problem because many of those applications, like WinAMP and Quicktime, are readily used whenever users encounter media files of various kinds. Most people wouldn't hesitate to open an .mpg, .jpg, .mov, or .mp3 file from any source if it seems the least bit interesting and relevant. It's easy to embed a movie in your homepage, for example, and all it takes is one unpatched Quicktime vulnerability and a provocative video title to compromise a lot of visitors.

Comparing this with the figures we have for corporate environments, there isn't much of a difference, though the vulnerable applications tend to be more business-like in nature, exploiting flaws in enterprise software and devices rather than media players. However, the overall picture is the same: the operating systems, browsers, and Microsoft applications in general appear to be updated fairly regularly. But all other applications seem to be forgotten, or receive too low a priority given the severity of the issues, and the fact is that exploits are available for a great deal of them. Not to mention that corporations have much more to lose than just their credit card details; there's client lists, design blueprints, employee information, and more at stake.

The need for tools to provide proper and exact information about which security updates are missing on both private PCs and corporate networks seem to be critical.

For half a year the Secunia Software Inspector has been available free of charge, with the purpose of highlighting the most important and common security issues in the most common user-end applications. This approach is fine for private individuals with a one or two PCs but for the network administrators with multiple systems this approach isn't feasible.

To help companies Secunia has developed a new tool called the Secunia Network Software Inspector (NSI). For the last 3 weeks this has been available in a public BETA for corporate users. A total of more than 1,600 IT administrators from all over the world, from small and medium businesses to global corporations, have tested it.

The Secunia NSI can be deployed from a central server and configured to inspect multiple machines in a network. It is also capable of identifying more than 4,000 unique applications, down to the specific version number and patch level, as well as which applications are missing security updates and which ones have reached end-of-life. The feedback of the beta testing has been overwhelmingly positive, and we are grateful to all the BETA testers who participated in this event.

The Secunia NSI is now available for corporate users in a full version. For more information please see:
http://secunia.com/network_software_inspector/

The Secunia Software Inspector is still available FREE of charge in an easy to use Java version. It is continuously updated with new signatures to identify the latest versions and missing patches for over 40 popular applications:
http://secunia.com/software_inspector/

Best regards,

Jakob Balle
IT Development Manager

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: 28% of all detected applications are insecure
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+