One aspect of the past year that ESET senior research fellow David Harley notes is the continuing prevalence of autorun problems in Windows. In particular, he says, despite the very real impact of Microsoft's countermeasures against infection by INF/Autorun threats, the two most prevalent threats remain INF/Autorun and Win32/Conficker. “That,” he concludes, “tells us something depressing about the quantity of unpatched systems that still seem to be out there.”
Coupled with Microsoft’s own research showing that most exploits are detected after a vulnerability is patched or a product updated, this would suggest that more efficient patching will go a long way to solving the majority of security problems. This begs the question, why are there so many unpatched systems?
“I’ve wondered about why people don’t update for a long time,” says Harley, “and I don’t have an altogether satisfactory answer.”
One possibility is that there is a larger number of pirated operating systems in existence than most people think. Pirated software users tend not to do anything that might highlight themselves to the vendor. Harley believes that this will account for ‘a certain percentage’ but that other factors may be more important. “Perhaps Windows running in virtual environments are not being updated because they’re not ‘real’ installations.”
He also believes that many people are sticking with old versions of their software. “There’s certainly a percentage running vulnerable but no-longer-supported OS versions – but that’s kind of a circular argument, since you’d expect people to apply service packs or update to a better/safer OS eventually.”
In addition, some companies have a reluctance to apply updates, possibly for fear of upsetting the existing balance in their infrastructure or simple complacency. “There are companies,” he suggests, “that are unusually paranoid about applying updates.” This was one of the issues that surfaced around Stuxnet. “Some SCADA sites just didn’t consider it practical to update machines because they couldn’t be taken offline – raising questions about redundancy and contingency plans.” We can add to this all of those sites with specialist systems that rely on maintaining an obsolete/obsolescent OS, “not uncommon in medical research, for example”, he suggests, and also sites and organizations that just won’t spend money until a system dies. Here Harley points to his time working in the NHS. “When I left the NHS in 2006 there was still support – of a sort – for the line of consumer Windows versions that had petered out with ME, even though there was virtually no antivirus support available for those versions by that time.”
There’s also, he adds, a percentage of people who won’t even think about AV or patches and updates because they aren’t seeing any problems on their system. Most malware isn’t noticeable. “Maybe that’s the hard core of unpatched system users,” he concludes rather depressingly.