A worryingly large number of UK PC users are still running multiple unpatched software programs, with Microsoft XML Core Services 4 the most exposed, according to new data from vulnerability management firm Secunia.
The firm’s quarterly report for Q2 2014 found that 10% of UK PC users are running unpatched operating systems, with the figure a percentage point higher for unpatched third-party programs.
It ranked the top ten most exposed programs by multiplying % market share by % unpatched.
Microsoft XML Core Services 4 retained the top spot as most exposed program, which it has held since December 2012 despite no new vulnerabilities having been discovered over the past 12 months.
Secunia said 40% of users were running an unpatched version of the product.
This was the same number as second placed Oracle Java JRE 1.7x/7.x, however the Microsoft software’s superior market share (74%) pushed it to the top of the “most exposed” list.
“The reason MSXML is topping the list is because of the way updates for the software are being handled,” explained Secunia director of research and security, Kasper Lingaard.
“Normally, patches for Microsoft products are offered through Windows Update. But in the case of MSXML, patches are only offered for MSXML Service Pack 3. Since older MSXML Service Packs are considered end-of-
life, users are not being offered patches as they normally would.”
Lingaard advised users to install the latest service pack for the software so that patches could once again be made available through Windows Upate.
Secunia also listed the top ten end-of-life programs – that is those for which patches are no longer available and should be removed.
Adobe Flash Player 13.x topped the list with a 69% market share, followed by Google Chrome 34.x (40%) and Adobe Flash Player 12.x (33%).
Lingaard claimed that as Adobe has only recently released version 14 of Flash Player, most users have yet to upgrade from the outdated version.
“It is always recommended to remove end-of-life programs from your PC as they are no longer maintained and supported by the vendor and do not receive security updates,” he added.
“They must therefore be treated as insecure. If you identify and remove end-of-life programs you have made your PC a great deal more secure."
Part of the problem when it comes to minimizing risk through vulnerable software versions is that the typical user runs 76 programs from 26 different vendors, according to Secunia.
Although 31 of these are Microsoft programs with a single update mechanism, the rest belong to vendors each with their own unique way of updating.
Cybercriminals deliberately target software vulnerabilities as they know many users will find it too taxing to manage such updates, the firm added.