More attention and education needs to be given to the importance of patching according to Qualys CTO Wolfgang Kandek.
Following a light load on Microsoft's monthly Patch Tuesday this week, Kandek welcomed the fact that there were no vulnerabilities in the newly launched Windows 7 but claimed that the danger was in MS09-065, which fixes a bug in the Windows kernel, is this month's most serious issue as a proof of concept was published.
He further claimed that there has been no patch issued for Office in five to six years and while patches are released, people are generally not applying them. Kandek said: “Even old Office applications are not updated, Office 2010 will come out with new features but most people will never use this. There is new technology coming out but the problem is how to get them protected.”
Kandek claimed that as the Conficker A variant downloads IP addresses and is able to geographically figure out its own address, many companies had GO detection so were able to take it down but when it comes to infection rates, it only spread through unpatched machines.
Kandek said: “We are not talking about millions of machines, it is a small number but we can see unpatched machines. People are very lazy when it comes to installing updates but we do not see any reason not to do it, and there is no reason not to do it. Even machines running unlicensed software or non-legitimate versions of Windows can install patches by turning on updates, but people still do not do it.
“How do we get over to people who are not doing it? People need to be educated, Office 2010 has a ‘click and run' function but it is 300 MB and some may not want to do it and might forget it. This is a small programme but you can download a bit to make it more usable so we will see whenever it comes out.”
Kandek concluded by claiming that it is like the car industry, and how you do not retrofit an old can with new technology but if you buy a new model, it will come with all of the modern features.