Thanks to this ComputerWorld article, today I learned that Secunia has published a very interesting study of software use patterns, and has calculated from this a very interesting number: 90% of Windows users should be patching something on their computer at least once a week.

What a scary number, eh? How did they get there?

Secunia’s report says it better than I can, but here’s a quick summary. Secunia looked at the numbers returned from the more than two million installations of Secunia PSI, a tool that inventories installed software, cross references it against known vulnerabilities and lets you know what installed software is out of date and needs patching. The first finding was: 50% of PSI users have more then 66 programs installed, and those programs came from more than 22 different vendors. Think about that: half the users out there need to stay on top of 22 or more different vendor update strategies!

Secunia then cross-referenced against their own (very good) vulnerability database, coming up with their second major finding: 90% of users were affected by more than 51 vulnerability advisories in the last 12 months. Which (using my own math) averages out to needing a patch every 7.1 days. For a whole year. So, basically everyone should be performing a weekly check-and-patch routine. Keep in mind, that for a great deal of installed software, this check-and-patch procedure is not automated.

From a sysadmin’s point of view, the study definitely confirmed something I had suspected: staying patched isn’t as easy as falling off a log. But again from a sysadmin’s point of view, I think it’s worth stating a few questions and caveats:

1. How is Secunia counting the number of programs? If I do a simple WMIC query (wmic product get name, vendor)on my own personal PC, I come up with  135 ‘products’ installed. But 37 of those are just MS Office components. Another large number are components of MS Visual Studio. And then there are things like “Junk Mail filter update” and “MSXML 4.0 SP2 (KB954430).” Do these sorts of things really count in the final tally? When I look in “Programs and Features” on my copy of Windows 7, it says 142 programs are installed. Why the disparity? Which number would PSI report?
2. Definitely keep in mind that Secunia collected this information via their Personal Software Inspector (PSI) program. So it is likely not indicative of the software load we would find on corporate PCs where sysadmins have any control over what’s installed.
3. Secunia’s report doesn’t attempt to determine which programs/vendors commonly need the most patches. My own educated guess is that, on a typical Windows PC, the lions share of patches are going to come from three main sources: Microsoft, Sun (Java), and Adobe (Flash, Reader). Apple’s Quicktime and iTunes would probably come in fourth.
   1. Microsoft’s patch solution (for all their products) is well integrated into the OS. From a sysadmin’s point of view, it’s pretty much a solved problem.
   2. Keeping Sun’s Java, Apple’s QuickTime, and  Adobe’s Flash/Reader products up to date are more problematic from the enterprise point of view, but not insoluble.
   3. Almost everything else is a pain in the neck, but probably accounts for less than 20% of our vulnerability worries.
4. We’re talking desktops/laptops here, not server room stuff.

And now the good news

For quite some time I have hoped that MS would find some way to crack this nut and deliver a comprehensive patching solution via the operating system. Linux and the BSDs have mostly solved the problem via centralized package management systems: it’s relatively easy to get all or mostly all of your software from a small number of repositories and regularly check those repositories, installing any updates or new versions found.

The nature and size of the proprietary Windows software ecosphere make such a centralized package management system pretty much impossible to carry out in real life. Too many software makers would simply not check their stuff into the repository. However it’s not impossible to envision a system where all Windows software vendors supply an update URL, and there is some standardized way for Windows itself to regularly check each program’s URL for updates. I can only imagine that the legal and security implications of this are what’s keeping MS from dipping a toe into those waters. So it’s good to know that Secunia are going to be trying their hand at it!

Out in consumer PC land, Secunia already have a good start with their PSI product. It does a pretty good job of enumerating installed software, flagging the stuff that needs updates, and providing the download URL for those updates. I recommend it to friends and relatives (there’s also an online version). And the ComputerWorld article says Secunia are working on the next step now: PSI 2.0 will not just identify software needing patches, but will have the ability to apply patches, just like Windows Update. Secunia say they will have a technical preview of PSI 2.0 out within the next 6 weeks.

For us sysadmins, they have a corporate equivalent for centralized management of 3rd party patches already available: Secunia CSI 4.0 Beta. It apparently automatically packages up those 3rd party patches and delivers them via WSUS. This looks really promising, and I hope to test it out and write a future article detailing my observations.