In February, Secunia provided us some statistics from their PSI tool. This tool searches for missing patches, and not only Microsoft. So it's excellent for detecting missing third party patches. True, it was only just after the release of software patches of popular software like Adobe Reader, Quicktime, Java or Skype but the percentage of users having at least one missing patch was high: 81.01%. This means that a lot of surfers had at least one of these plugins installed (and didn't patch). Although the timeframe and sample set (282.726 PCs) can be questioned.
Based on these four security updates, we have gathered some statistics from our free Secunia PSI that shows a startling picture, detailing the amount of users who need to patch their computers, in order to safely do something as ordinary as surfing the Internet.Now, the researched from ISS released a whitepaper with the help of Google. ISS got access to the USER-AGENT data collected by Google’s Web search and application servers around the world. This helped them analyse the use of webbrowsers and the upgrade (patching behaviour) of surfers.
Currently, the Secunia PSI has been installed on 282,726 computers.
Unique installations, counting each application only once per. computer:
Adobe Reader 8.x 172,653 61.07% of all computers affected
Apple Quicktime 7.x 133,169 47.10% of all computers affected
Sun Java 1.5.x 98,618 34.88% of all computers affected
Skype 3.x 57,496 20.34% of all computers affected (Source: Secunia)
While their full whitepaper and analysis can be found over here, they listed some interesting points.
(1) I think that most people would agree that Google’s visibility of the Internet is unmatched, with an estimated 75 percent or all Web searches done through their engine. That meant we had fabulous global coverage of Web browser usage. And, before you ask, no – we didn’t have access to any personally identifiable information – but CO2 emissions were kept to a minimum and no small furry animals suffered any distress at our hands while writing the whitepaper. As a result, we counted some 637 million users as using out-of-date Web browsers and potentially vulnerable to popular drive-by-download attack vectors and exploits.Read their full post here.
(2) We found that Firefox users were the most diligent in using the latest version of their favorite Web browser, with 83.3 percent of them safely surfing the Web. Meanwhile, Internet Explorer users came in last place, with less than half of them (47.6 percent) managing to surf with a fully patched IE7 installation. I think it may be a little unfair for many IE users to be grouped in the “less diligent” bucket because they’re stuck to using IE5 or IE6 for compatibility issues with their corporate applications but, quite frankly, in this climate of commercial mass-defacements, “unfair” isn’t going to keep them safe.
(3) Being able to tap the USER-AGENT fields of the Web browser HTTP headers to Google’s search engines since the beginning of 2007 meant that we could also study the minor version information of popular browsers such as Firefox and Opera. There were some really interesting dynamics visible once it was all plotted out, and the most important component was the speed at which users updated their browser to the most current patched version. For example, Firefox users typically updated within three days, while Opera users managed 11 days and (cynically) Internet Explorer users are still struggling to transition to IE7 (let alone any incremental super-Tuesday patches) even after a year-and-a-half. So, with that in mind, Firefox’s auto-update system wins hands-down in my opinion.
So that is 637 million users with an outdated browser, not counting the plugins. ISS states that it's about 45.2% of users. Taking into account browser plugins, I could see this amount increase to 70%-80% as we saw in the Secunia reports. Combining this with driveby downloads and the sql injection waves we have witnessed, it's strange that botnets are still only 50-200 million big (public estimates). If the ISS and Secunia reports are accurate, it's scary. So help your neighbour and family members and teach them to run PSI or alternative tools.
Related posts:
- How to protect yourself against SQL injection
- Time to upgrade Acrobat Reader again
- Patching madness. No rest for the sysadmins.
- Beware. A wide scale attack on Adobe Flash Player (updated)
- Live Flash exploitation though banners on popular websites
- Patch mania, it's not just Patch Tuesday
- Patching, Damned if you do, Damned if you don't
- Recent exploits in the wild
- A list of updated domains used in the SQL injection attacks
- The problem about stored procedures and SQL injections
- Third sql injection wave and the impact on Belgian websites
- Beware. A wide scale attack on Adobe Flash Player (updated)
- Yet another sql injection detected (Updated)
- Website Security Strategies that work
- Followup on the 1.js sql injection wave
- Mass malware SQL injections still continuing and the number of Belgian sites infected
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment