The typical home user running Windows faces the "unreasonable" task of patching software an average of every five days, a security and vulnerability research company said.
"It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching," said Thomas Kristensen, the chief security officer of Secunia. The result is that few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack.
According to Secunia, of the users who ran the company's Personal Software Inspector (PSI) the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. PSI is a free tool that scans PCs to produce a list of vulnerable software, but does not itself initiate updates. Instead, users are directed to the approprite vendor patch site. Nearly 2 million copies of the tool have been downloaded since Secunia debuted it in 2007.
After comparing the software portfolios on each machine with the bugs Secunia tracked during 2009, Secunia determined that the typical user faced nearly 300 vulnerabilities during the year, and with the number of vendors represented on the PC, had to deal with approximately 75 patch incidents annually.
That averages out to a patch action every 4.9 days.
"It surprised us that there were so many applications on the systems," said Kristensen, "and that then there were so many updates they had to do in a year." Also important, he said, was that the typical user had to master 22 different patch mechanisms, one from each of the 22 software makers whose programs were on her PC.
"That's why we called for software vendors to create a unified patching standard last year," said Kristensen, referring to a pitch Secunia made at the RSA Conference in 2009. The company's offer didn't go over well. "A few vendors said 'We want to hear more,' but a lot just ignored us or turned down the idea outright."
Rather than wait on software makers to come up with a single patch mechanism, something unlikely in any case, Secunia has stepped up to produce a patching tool that will eventually handle 70% to 80% of the software on consumers' Windows machines.
In the next six weeks, Secunia will release a technical preview of PSI 2.0, which will include automatic updating functionality similar to what Microsoft provides for Windows and other software. Before the end of the year, Secunia should have PSI 2.0 wrapped up. "Updating is complicated, and we need to get it out to users so they can give us feedback," said Kristensen. PSI 2.0 will be free to consumers.
PSI 2.0 is based on technology in Secunia's Corporate Software Inspector with Microsoft's Windows Server Update Services (WSUS), which entered beta in January.
"We want to promote patching," Kristensen said when asked why Secunia is expending resources on a product it's giving away. People know Microsoft's patch service, Windows Update, but that's not the only updating mechanism they have to deal with, he continued. "They have to patch Adobe software three, four times a year, and QuickTime, which is frequently exploited. That's why we think this will make a difference."
Secunia has published a white paper that details its PSI scan findings (download PDF).