by Chris Taylor

I have given seminars on computer security at OPCUG meetings. I give them on an on-going basis at the Ottawa Public Library – http://opcug.ca/OPL.htm. It would be an understatement to say I care about computer security.

A few years ago, I had to stand in front of audiences and tell them they must keep their software patched for security vulnerabilities. I would tell them that Microsoft has a decent service for keeping their products patched called variously; Windows Update, Microsoft Update, or Automatic Updates, depending on what they felt like calling it any particular week. Okay, maybe it just feels like they change product names that often.

Then I had to keep a straight face and tell people that they should visit the vendor web sites for all their other software, search for security updates for the version they used, and install those updates. And that they should do this every month or two.

A few years ago, I ran across a wonderful, free program from Secunia called Personal Software Inspector (PSI). Secunia is tracking over 20,000 programs for security vulnerabilities, and PSI can apply security patches for you. I wrote a review of PSI in the January, 2011 issue of the newsletter - http://opcug.ca/Articles/1101.pdf

I knew Secunia gave away PSI free for personal use in order to spread the word and get people to tell their administrators at work about how great it is (there is a commercial offering that costs money) and also to find out about programs they were not yet tracking for security vulnerabilities/security patches.

In late February Secunia sent out an email, saying the Secunia Vulnerability Review 2014 was available. It turns out that Secunia is also collecting anonymous data using PSI to find out about the programs we use and our exposure to security vulnerabilities.

According to Secunia, the average user has 75 programs installed. Of course, I am proud to report that PSI found 160 programs on my main desktop computer! Without PSI, I wouldn’t have a hope of keeping up-to-date on security patches for all of those.

 

Secunia reports that, in 2013, an astounding 2,289 vulnerable products from 539 vendors were discovered with a total of 13,073 vulnerabilities in them. This represents a 45% increase in vulnerabilities over five years, and a 32% increase from 2012 to 2013.

Secunia also looked at various versions of Windows itself. It is interesting to note that all versions of Windows had about the same number of vulnerabilities found in 2013. The larger number of vulnerabilities in Windows 8 actually stems from the fact that Adobe Flash Player is integrated into Internet Explorer in Windows 8. I have to wonder if Microsoft regrets that decision! Remove the 50 (!) vulnerabilities in Adobe Flash Player and the vulnerabilities found in Windows range from 99 in Windows XP to 104 in Windows 8 – essentially a dead heat. This also makes me wonder about Microsoft’s assertion that newer versions of Windows are more secure.

 

 

If anyone wonders why I recommend they remove Adobe Acrobat Reader and install a replacement such as Foxit Reader, only need look at the 67 (!) vulnerabilities found in Adobe Reader vs. the 1 vulnerability found in Foxit Reader.

The report also has information on browser security, the top 50 apps, zero-day vulnerabilities, criticality of vulnerabilities, time-to-patch, and more.

The full 20-page report is available at http://secunia.com/vulnerability-review/

---

Originally published: September, 2014

top of page