Earlier this week, Microsoft released its monthly Patch Tuesday updates. Even though this month saw fewer patches than in recent months, I don’t know of a month that had no patches. That alone would make it seem like Microsoft has a serious problem with its security, but we also know that for years, Microsoft applications were prime targets of hackers (which lead to a generation of smug Apple users).
Yes, Microsoft has security flaws. Sometimes there are major security flaws. But, according to a new study, some of the applications we think are the most secure are actually the biggest problem. The Secunia Vulnerability Review 2013 found that 86 percent of vulnerabilities discovered in the most popular 50 programs in 2012 were in non-Microsoft (or third-party) programs. That’s up from 78 percent in 2011. And that, InfoWorld pointed out, included those applications we are often steered to because they are “safe”:
Google Chrome, Mozilla Firefox, and Apple iTunes were the most vulnerable among popular software programs in 2012.
One of the reasons behind these “hidden” vulnerabilities is our approach to patching. Patch Tuesday makes us think about Microsoft vulnerabilities and making sure they are updated every month. The report even stated that IT professionals are focused on updating Microsoft programs and OS, but not as diligent with other software applications. The report calls this behavior “reckless” because in the most popular 50 programs, no less than 1,137 vulnerabilities were discovered in 18 different programs and because 84 percent of vulnerabilities had a patch available on the day they were disclosed.
Microsoft is still vulnerable, of course. I’m not letting them skirt here. Windows 7 is still working out a number of kinks and had the most vulnerabilities of any Microsoft product. But those products are getting patched, and I’m sure one of the reasons is due to Patch Tuesday. It is regular. It is announced. Our computers are set up to install the updates automatically (if smart).
As Morten R. Stengaard, Secunia's Director of Product Management, said in a release:
There is no excuse for not patching. To take advantage of this improvement in patch availability, organizations must know which programs are present on their systems and which of these programs are insecure, and then take an intelligent and prioritized approach to remediating them. Companies cannot continue to ignore or underestimate non-Microsoft programs as the major source of vulnerabilities that threaten their IT infrastructure and overall IT-security level. The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure.
He’s absolutely right. There is no excuse for not patching. And there is no excuse for remaining in the mindset that only one or a few companies have vulnerabilities or are being exploited. The hackers are looking for any way into your system, and unless you are patching regularly, there is no such thing as safe and secure.