The Secunia Q3 country report for the UK was published this week and makes for depressing reading. Nearly eight per cent of users have unpatched operating systems, and more than 15 percent have unpatched programs.
Throw in the 5.5 per cent of end-of-life programs with no ongoing support found on your average PC and the problem of security patch apathy starts to become clear.
While those numbers on their own do not sound too alarming, any vulnerable program that is unpatched serves as a gateway to the exploitation of your and other systems by hackers.
Secunia uses an example whereby if 37 percent of PCs running VLC Media Player 2.x, which has a 36 percent market share, are unpatched then 13 percent of all PCs are made vulnerable by that program. Not forgetting, of course, that the same PC will likely have a bunch of other unpatched and vulnerable programs also installed.
Which leaves us wondering why users are so slack when it comes to installing security patches? The report itself has a clue or two. On a typical PC, it states, users have to master 26 different update mechanisms to patch the 75 programs on it in order to remediate vulnerabilities. These comprise a single update mechanism for the 31 Microsoft programs that make up 42 per cent of the programs on the PC, and then 25 different update mechanisms to patch the remaining 44 programs (or 58 per cent) from the non-Microsoft vendors whose products are installed.
We asked Kasper Lindgaard, director of research and security at Secunia, how we have got into this mess both at the application and system level?
“I don't think people are deliberately ignoring security updates,” Lindgaard says. “It's more a combination of lack of awareness and resignation. Lack of awareness, in that the average computer user does not have sufficient understanding of digital security to navigate the space and identify what's more important: re-active antivirus or pro-active vulnerability management? And, once you have figured that one out, how do you choose between the many solutions available that cover different aspects of security? How do they complement each other and how do you figure out what's best? Resignation, in that maybe all of these activities required of you are just too many, and too complicated, for the average computer user to take onboard."
Lindgaard also reckons that, from the vendor side of the issue, it's also worth pointing out that this is fairly new territory to them.
"The IT industry is still in its infancy in many ways," he told SCMagazineUK.com. "Every IT company is finding its own way of going to market and communicating to users, and there are no set standards and very little best practice when it comes to something like issuing security updates. Consequently, users have to compute and handle different update mechanisms for all the vendors whose products they use. In the UK in Q3 2015, the 75 applications installed on the average private PC came from a total of 26 different vendors, not all of whom provide clear and actionable update information.”
So what is the real knock-on impact of this on cyber-security? By ignoring security updates, for whatever reason, we risk big impacts upon cyber-security within the organisation.
That's the opinion of Qualys CTO, Wolfgang Kandek, who referred to the Verizon 2015 Data Breach Investigation Report which found that of the 2,122 confirmed data breaches, 99.9 percent of the exploited vulnerabilities were more than a year old.