Ryan Naraine at the ZDNet Zero Day blog reports on a study by Secunia indicating that most (98%) of Windows-based PCs have at least one insecure (i.e., unpatched) application. As explained on the Secunia blog:
By "insecure program" it is understood, that there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user have yet to install the secure version. A vulnerability in a program can be exploited by hackers to anything from compromising a PC, to automatically install trojans/viruses, to sniff out private information (passwords, credit cards information, etc.).
I don’t know that Secunia is right to extrapolate from their sample of 20,000 new users of the company’s Personal Software Inspector (PSI) software to the entire population of the Internet. They argue that their customers are likely to be more security-conscious than average, but it seems likely that they’re also people who have reason to think they have vulnerable applications on their computers. Still, it’s a concerning number, and it emphasizes the need for software vendors to make security updates easy and safe for users. This includes separating the update process for important bug and security fixes, which nearly all users should be installing, from product upgrades and cross-promoted applications.
I also want to challenge Secunia’s assertion that "your anti-virus will not protect you from the security threats of vulnerabilities." While it is certainly true that AV software (or any other software, for that matter) won’t protect you from all threats, one of the reasons for using AV software is to provide an additional layer of defense against attacks that exploit unknown or unpatched vulnerabilities.
