I downloaded the Secunia PSI on one of the Windows computers I maintain, thinking “surely, I’m pretty good about updating stuff, it won’t find big things”. Well, I was sadly mistaken. The top culprits are:
- Java for not uninstalling older releases when never ones get installed
- Non functioning auto-update features. Two examples would be Java and VLC, both of them set to check for updates daily, but none of them being actually up to date.
- Flash with its half-install (the kit either installs it for FF/Opera/Safari or for IE). Because I updated it using FF, IE was left with the older version.
- MS Office 2003 – I have no plan of updating to 2007, so I’m left with 2003.
The conclusion: trust, but verify. Run the PSI now! (yes, it is a little annoying – especially that it wants to sit in the tray and give you messages from time to time – but that can be disabled). Make sure you’re patched. This is an other example for the need for defense in depth: you can’t trust one entity to get things right. The beauty of the PSI is that it doesn’t need to be constantly running, thus it doesn’t increase the attack surface and doesn’t drain system resource (like some other on-line, always running applications).
PS. Seeing this I can fully agree with Secunia’s numbers that less than 2% of all the computers out there are fully patched. Some poo-poo-ed the number saying that the sample size was too small, even though Secuina (rightly) pointed out that the sample set was most probably biased towards the more security conscious people, the real situation out there being much worse! Seeing is believing!