99% of attacks could be stopped by patching

Microsoft’s chief UK security advisor Stuart Aston has pointed out that less than 1% of attacks are based on zero-day exploits. The implication is clear: 99% of attacks could be stopped by anti-malware and up-to-date, fully-patched, software. The problem is that users rarely find the time to do it.

Microsoft has long sought to solve this problem via its auto-update systems. Now Intego's Myers is hoping that Mac users will get a similar service from Apple. “Apple has added an interesting feature to the upcoming OS X Mountain Lion [slated for next month], that I hope may help with this issue. It looks for security updates, daily or as you restart, then it downloads and installs them in the background.” It lappears that this will only apply to the operating system. But what about the huge majority of vulnerabilities found in third-party PC applications?

Secunia has been concentrating on vulnerabilities and patch management since its foundation in 2002. In its Secunia Yearly Report, 2011, it comments, “Only securing the operating system (OS) and Microsoft programs leaves end-points at considerable risk. However, the power to protect end-points is in the hands of all users as 72% of the vulnerabilities had a patch available on the day of vulnerability disclosure.”

Un-patched software is a huge open door for the bad guys. Secunia is trying to shut that door. Today it releases PSI version 3.0; a free security scanner that not only locates third party applications in need of updating or patching, but automatically pushes those updates to the user. It doesn’t cover every single application there is, but it does apply to all of the vendors supported by Secunia – and that’s more than 3000.

“Updating software is a daunting task,” Secunia’s chief security officer Thomas Kristensen told Infosecurity. “Most software vendors don't provide proper silent and automated updating mechanisms. This forces users to manually identify out-of-date and insecure software that needs to be updated and conduct the entire updating process. With the launch of the PSI 3.0 we are about to move a mountain by offering automatic and silent updating to all users.”

What’s hot on Infosecurity Magazine?