Secunia: Unpatched OSes on the Rise

Written by

The number of users with unpatched operating systems rose in the US and UK over the past quarter, with Adobe Flash Player and Oracle Java continuing to expose PC users to security risks, according to Secunia.

The vulnerability management firm’s Q1 2015 PSI Country Report revealed the proportion of UK users with unpatched operating systems at 11.5% (up from 10.6% in Q4) while in the US the figure rose even further – from 12.9% to 14%.

Elsewhere, the data, which is gleaned from Secunia’s Personal Software Inspector service, revealed many of the same security gaps and challenges as previous reports.

For example, nearly 6% of programs on the average UK computer and slightly less in the US have reached end-of-life and are no longer supported.

First and foremost on these is Adobe Flash Player 16.x, which is installed on 78% of US machines and 81% on UK computers.

“Sadly, we are not seeing any improvements in the number of End-of-Life applications on private PCs. The large number of users neglecting to remove End-of-Life applications represent a serious security issue,” Secunia director of research and security, Kasper Lindgaard, told Infosecurity.

“The definition of these apps is that they are no longer maintained and supported by the vendor, and do not receive security updates. They are a popular attack vector with hackers, and should therefore always be treated as insecure. If users removed End-of-Life programs, their PCs would be a great deal more secure.”

As for the most exposed programs around – those which have a high market share and a high percentage of unpatched licenses – it’s the 'usual suspects' of Oracle Java 1.7x/7.x, Apple QuickTime 7.x and Adobe Reader 10.x in the top three.

However, a newcomer this quarter in the UK is popular P2P software uTorrent for Windows 3.x – which only has one vulnerability to its name but 58% of users haven’t patched it.

For IT admins, the enterprise environment continues to be complicated by the 59% of programs on the average UK PC which aren’t from Microsoft, and therefore require mastery of 25 different update mechanisms.

“The major challenges are to obtain and maintain a complete overview of all applications on all devices in and connected to their infrastructure, and correlating that with intelligence about new vulnerabilities, solution status and patch availability for those applications,” Lindgaard concluded.

“The short answer is to know what to patch – and then do it. There are patches available for 83% of all vulnerabilities on the day they become publicly known, so it is possible to remediate the majority of vulnerabilities, as they become known.”

What’s hot on Infosecurity Magazine?