FRAMINGHAM 18 JANUARY 2011 - Microsoft is still burdened with a bad reputation among users for security, although figures show its products are more secure than most on a person's computer, according to new data from the Danish security vendor Secunia.
The number of vulnerabilities in software commonly found on PCs shot up by an astounding 71% between 2009 and 2010, mostly due to problems in third-party applications rather than in the Windows OS or Microsoft apps, said Stefan Frei, research analyst director for Secunia. The company released its annual vulnerability report on Tuesday.
"When we dig deeper we find the main contributor is not vulnerabilities in Microsoft products but vulnerabilities in third-party products," Frei said. "Traditionally we still perceive Microsoft programs and the Microsoft operating system to be the main culprit, the main threat. However, this has changed."
For its report, Secunia used data from its Personal Software Inspector (PSI) application, which analyzes PCs to see if the installed programs have the latest patches. The PSI has been installed on more than 3 million computers.
Of the top 50 most commonly installed software products, 26 were made by Microsoft and 24 other applications came from a total of 14 third-party vendors, Frei said. In 2010, users had about four times more vulnerabilities in the third-party vendor products than in the Microsoft applications.
The main reason is that Microsoft's patching mechanism is easy for users, Frei said. But the other vendors all use different systems for updating their software. Only a few use auto-update mechanisms similar to Microsoft, where users can choose to have patches automatically installed.
The lack of a common update program among all vendors creates a big opportunity for cybercriminals seeking to exploit computers with out-of-date applications, Frei said.
"There is a huge delay from the point in time when vulnerabilities are discovered and details reach the criminals, before end-users and corporate security teams actually deploy the appropriate security updates," according to the report.
The situation is unlikely to be resolved any time soon, although Secunia has emphasized the problem at security conferences, Frei said. Smaller companies have fewer resources to dedicate to building an automated update feature into their products, he said.
"Users with the average software portfolio installed on their PCs will need to master around 14 different update mechanisms from individual vendors to update their programs and keep their IT systems protected against vulnerabilities," according to the report. "Typical users are either unaware, or simply overwhelmed by the complexity and frequency of the actions required to keep the dozens of third-party programs found on a typical end-point system."
Sign up for Computerworld eNewsletters.