SC Magazine's Dan Raywood reports that "To be completely patched requires an average of between 51 and 86 actions per year", quoting findings by Secunia that " in order for the typical home user to stay fully patched, an average of 75 patches from 22 different vendors need to be installed, requiring the user to engage in a patch action every 4.8 days."
Back in 2009, at RSA, Secunia proposed an approach to addressing this problem by building a "common application that handles all third-party application updates and patching" to address consumer application patch difficulties. While I'm not convinced it's feasible to handle all updates - some of the small companies will slip through the net, and I suspect that some of the big ones will only extend limited cooperation, for proprietary reasons - this does indeed sound like an approach that will reduce the impact on the consumer of driveby downloads and other Bad Things, and, as Brian Krebs has pointed out, reduce the amount of time some of us put in as unpaid support to family and friends afflicted by such problems, and I look forward to seeing the software. :)
However, it's not just home users who have patching problems. And there's more crossover than you might think. At a session at RSA this year on "How to expedite patching in the enterprise?" with Rich Mogull (Securosis), Doug Dexter (Cisco), Robert Duran (TIME), Wolfgang Kandek (Qualys), Regis Rogers (GE Corp), a number of interesting questions were posed. Apart from the fact that so few attendees seem to feel they have real control over the patching problem, it was noticeable that Oracle, Adobe and Java seem to be seen as particular troublespots. It's unlikely that many home users are using Oracle to catalogue their CD collections, but Adobe is another issue entirely. Yes, the company has made a lot of progress, but it still doesn't show the same awareness that Microsoft (usually) does nowadays.
And Adobe Reader still infuriates me. First it silently re-enabled Javascript. And since I re-disabled it, it continues to prompt me to re-enable it every time I open a PDF, irrespective of whether it really includes javascripts (which it hardly ever does). It may seem trivial, but this still sounds like a company that hasn't thought a security issue through properly.
David Harley CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
