Private PCs are rife with unpatched vulnerable applications from vendors like Apple, Adobe and Oracle. The 76 applications on the average US PC come from 27 different vendors – that’s how many update mechanisms you need to stay on top of!
– Secunia Research (now part of Flexera Software), a leading provider of software vulnerability intelligence, has published its latest country report, which reveals the state of security for PC users in a total of 14 countries, including the US. The report shows that: One in 20 applications on private US PCs are end-of-life; 12 percent of Windows operating systems are unpatched; and for the first time in four consecutive quarters, Oracle Java isn’t topping the list of most exposed programs – Apple has taken the lead.
Key findings in the US Country Report include:
- 5.5 percent of applications on the average US PC have reached end-of-life, meaning they are no longer supported by the vendor and do not receive security updates. End-of-life Adobe Flash Player 18, which was end-of-life as of September 22, 2015, is found on 80% of the PCs.
- Apple QuickTime 7.x and Apple iTunes 12.x tops the list as the US’ most exposed applications:
QuickTime has a market share of 55% and 18 reported vulnerabilities, 61% of users have not installed the latest updates.
iTunes has a market share of 40% and 106 reported vulnerabilities, and 47% of users have not installed the latest updates.
- Other applications in the top 10 include Adobe Reader, Oracle Java 8 and Mozilla Firefox.
The number of end-of-life applications on private US PCs has been between five and six percent since Q3 2014 – in 2013 the number was between three and four percent. The problem with end-of-life applications from a security perspective is that the vendors of those applications no longer publish security updates to patch vulnerabilities as they are discovered in the product. Consequently, any vulnerability in an end-of-life application is an open door into any PC on which the application is installed.
“Hackers benefit from users’ failure to uninstall end-of-life applications, as the exploits they wrote for the old versions continue to work and continue to have value on the black market,” said Kasper Lindgaard, Director of Secunia Research at Flexera Software. “Too many users install and forget. Maintenance of software is not high on the radar of the average computer users, who tend to install whatever application they need to support whatever they need to do. They then tend to leave it sitting in their system, forgetting to uninstall or update it,” said Lindgaard.
Oracle Java no longer the greatest risk to PC users
From Q3 2014 to Q2 2015, Oracle Java topped the list of Most Exposed applications in the US Country Reports. The Most Exposed applications are ranked based on how widespread they are (“Market share”) multiplied by how many of their users have neglected to patch them (“Unpatched”) even though a patch was available.
Oracle Java drops down to number four as a result of two factors:
- Oracle 7 went end-of-life in April 2015, and therefore got parked on the end-of-life list, which doesn’t factor in patch status because all end-of-life applications are de facto insecure.
- Users are currently migrating to Oracle Java 8, but the 40 percent market share does not bring Oracle Java 8 to the top of the list.
To help users stay secure Flexera Software offers the Personal Software Inspector (formerly Secunia PSI 3.0), a free computer security scanner which identifies software applications that are insecure and in need of security updates. It has been downloaded by over 8 million PC users globally to detect vulnerable and outdated programs and plug-ins.
The 14 Country Reports are based on data from scans by the Personal Software Inspector between October 1, 2014 and September 30, 2015.