Regular readers and Windows users will be all too familiar with the monthly process of installing the latest security updates for Windows and Office from Microsoft. But what about all the other programs that you may have on your computer? A Danish security firm, Secunia, has for some time offered a free (for personal use) tool called the Personal Software Inspector (PSI) that runs on your Windows PC,and checks to see that all of the programs that it finds, and recognizes, are up to date as far as security patches are concerned. Its data base of PC applications is very broad, though for understandable reasons not perfect; nonetheless, it is a very useful tool to add to your bag of tricks for keeping your PC safe.
Secunia has also collected statistical data from the PSI, which is used by more than 2 million users, and has just issued a report [PDF] detailing their findings. The report makes for some sobering reading. The number of security bulletins for PC software has ranged from approximately 6,000 – 10,000 per year, from 2005 through 2009. The median PC user in Secunia’s sample has 66 distinct software packages installed on his Windows machine, from 22 different vendors. That is a lot of different sets of patches to keep track of and update mechanisms to understand. Not surprisingly, packages that have an automatic update mechanism, such as Windows itself, or the Mozilla Firefox browser, tend to be more up to date on the typical machine than those packages that rely entirely on the user’s diligence.
Brian Krebs, who writes the “Krebs on Security” blog, has an article at Technology Review that summarizes the results of the study.
Recent research shows that the typical PC user needs to install a security update roughly every five days in order to safely use Microsoft Windows and all of the third-party programs that typically run on top of it.
Mr. Krebs goes on to say that Secunia is planning on introducing a new security update tool, that will manage security patches across all applications (or, at least, the many that Secunia knows about) for the Windows user, in an effort to make the patching process somewhat less painful.
Even though the current version of the PSI software includes links to the latest updates for each outdated application, many users still find the update process too cumbersome, says Thomas Kristensen, Secunia’s chief security officer.
The goal, of making it easier for the average computer user to stay secure, is laudable, but it remains to be seen how effective this approach will be. For starters, Secunia will need at least minimal cooperation from a lot of different software vendors if the service is to be truly useful. Secunia expects to have a preliminary version available for limited testing within a couple of months, and a release version later this year.
As a longtime Linux user, this seems to me to be a perfectly sensible idea; after all, it is essentially what is provided as part of the Ubuntu Linux distribution, for example. I subscribe to a security bulletin E-mail list; but there is also an automatic background process that runs daily and notifies me of any updates to the 25,295 packages that Ubuntu knows about. It makes keeping things up to date pretty painless. In the next few days, I’ll post an article here explaining how it works, which I think might clarify what Secunia is proposing to do.