The number of reported vulnerabilities in Microsoft products almost doubled over the past year, representing 47% of all flaws on private PCs, although it was Oracle that claimed responsibility for the most exposed program at the end of the year, according to Secunia.
The vulnerability management firm’s PSI Country Report for Q4 claimed that the number of vulnerabilities originating from Microsoft programs in 2014 equaled that of third-party vendors (47%), with the remaining 6% accounted for by operating systems.
However, other vendors’ software was rated as having a greater risk exposure – that is, % market share multiplied by % of unpatched PCs.
Oracle Java JRE 1.7./ 7 came top in that regard, followed by Apple QuickTime 7 and then Adobe Reader X 10.
Microsoft Internet Explorer 11, in ninth place, had the most vulnerabilities of any other software in the top 10 (248), followed by Java JRE 1.7/7 (119).
This doesn’t necessarily mean that it’s getting less secure, of course, it could be that Redmond and/or the research community is focusing more effort on finding bugs in the platform.
Users continue to disregard patching in alarming numbers.
Secunia claimed that 10.6% of UK users had unpatched OSes, while 45% hadn’t patched the aforementioned Java 7 – despite it having 119 vulnerabilities. To make matters worse, the product is one of the most popular in the UK, downloaded onto 56% of PCs, according to Secunia.
End-of-life programs are also exposing users to needless risk. Some 79% of UK users had Adobe Flash Player 15 installed despite the vendor no longer providing security updates for it.
Part of the problem lies in the fact that of the 74 programs installed on the average UK PC, 59% are from third-party vendors, requiring users to master 25 different update mechanisms to patch them.
Microsoft accounts for the remaining 41% of programs, with all of its updates pushed out under a single mechanism. However, even Redmond has come in for criticism recently for effectively taking its Advanced Notification Service private in January.
The service is now available only to premier customers, although most consumers should have automatic updates switched on as standard.