Security companies like to make shocking claims so that we will be convinced to use their products. And while part of that is just marketing, the fact is, we do need to be shocked out of our complacency every now and then. We need to be told that the boogeyman is out there and he’s going to get our computer one day. Some of the reports out there may exaggerate the size and power of the boogeyman, but be that as it may, he’s still out there, lurking in the shadows.
There’s a report floating around that claims that 98 percent of all PCs are vulnerable. The report, issued by Secunia, says that according to their data, only 1.91 percent of Windows PCs are fully patched. The company has a free utility that will check whether your software has all the latest updates and patches. I’m not in the business of doing reviews here, but I mention it because of the relevance of the data and the importance of the claim.
The report has a lot of people running scared. This is good–“scared” should be your natural state regarding computer security. Bill Brenner’s “FUD Watch” does detect a little bit of FUD in the report however, so we should take a step back and look at the reality of the situation before we take our computers, throw them out the window, and resort to typewriters and the postal service. First of all, while keeping the latest versions of all your software is almost always a good idea, not having the latest version doesn’t necessarily translate to a greater security risk. Patches, on the other hand, are a different story, and these should always be installed as soon as they are made available. Also, the biggest software programs, which are the ones most likely to be targeted–most notably, the Windows operating system–have an auto-update system, so this isn’t a problem. Most of us have small, third-party programs running as well however, and these don’t always have auto-update mechanisms, and we almost always fall behind in keeping up with the latest versions and updates. So it’s not surprising that 98 percent of PCs aren’t up to date.
An article in Dark Reading quotes a security expert noting that “leaving some lower-profile third-party apps unpatched isn’t a major risk,” recommending that the greater focus should be on making sure that the big ones are updated and patched, including Windows, QuickTime, Adobe, iTunes, and AV signatures.
That said, having a policy and procedure to keep all versions and patches up to date is a great idea. A very large percentage of attacks target flaws for which patches are available. That means that most of the time, when we’re attacked, it’s because we were lazy. I’m guilty of that as well, and tend to click on the “update later” button whenever given the option, and then never get around to it. I have Vista configured to address my own laziness, and the updates are fully automatic so I don’t get presented with the “do it later” option. You can click the option to “check for updates but let me choose whether to download and install them,” but I don’t recommend this one–again, simply because of the laziness factor.