Whose Fault Is It When Your PC Gets Hacked? Probably Not Microsoft's

Since 2002, when Microsoft launched its Trustworthy Computing initiative, security in the company's products have improved each year. But while the company has increasingly battened down Windows, Office and its other programs, the number of vulnerabilities in harder-to-patch third-party applications has grown dramatically, making overall security on the PC worse than ever.

More Risk In Third-Party Apps

Rather than go through the expense of battling Microsoft directly, many hackers now focus on low-hanging fruit, such as the Java and Adobe Flash browser plug-ins, which are often left un-patched even by users who conscientiously update Windows and Office. This trend was highlighted in a new study by Secunia.

The security vendor found Microsoft's highly effective automatic security updates now address only 8.5% of the vulnerabilities in a PC. The rest have to be patched through updates from various software developers, each with their own unique process. The complexity leads users who are not security savvy to forgo updates, vastly increasing their risk of infection.

"There is, to date, no one fix-it-all solution," warned Morten Stengaard, director of product management and quality assurance at Secunia, in the company's blog.

Theoretically, Microsoft could overhaul Windows to place each third-party application in its own container, making it more difficult for hackers to load malware in the operating system. However, such a massive change would require Windows software vendors to rebuild their own products, which would have a ripple affect on every corporate and consumer customer.

"Microsoft, to some extent, is hamstrung by legacy code and what they've done in the past," Jack Gold, analyst for J. Gold Associates, said. "They can't just rip everything up and start all over again very easily."

Fewer Flaws In Microsoft Apps

Ironically, the third-party threat is blossoming even as Microsoft continues to get its own house in order. In 2012, out of all the known vulnerabilities in the top-50 PC programs, Microsoft products accounted for only 14% of them, the study found. The rest were in other software. And the share of vulnerabilities on a Windows PC coming from third-party applications has been growing. In 2007, they accounted for 57% of the security flaws, compared to 86% last year, Secunia says.

"It's well known that they [Microsoft] have put great efforts into improving security of the operating system and the applications that they provide," Stengaard said in an interview. "What we're seeing is the long-term involvement and dedication is now paying off."

Windows, Office, Silverlight and other Microsoft products are not ironclad, of course. Given enough time, knowledgeable hackers can find their way in through these channels. But in the world of cybercrime, most hackers are not interested in a challenge. Instead, they look for the easiest way to break into as many PCs as possible, to enslave the machines into the many armies of remotely controlled botnets, or to steal credit-card numbers, social-security numbers and corporate intellectual property that will fetch a good price on the underground.

Including both Microsoft and third-party applications, the number of PC vulnerabilities has dropped by 5% since 2011, and by 10% among the top 50 applications. Since 2007, though, overall vulnerabilities are up 15%, Secunia found, and that jumps to a whopping 98% increase among the top 50 applications.

Where The Danger Lies

Applications most likely to provide an easy path into Windows machines include Java, Flash, Adobe Reader and Apple iTunes, according to Secunia. If these applications are not kept up to date, hackers can exploit known vulnerabilities that enable them to load their malware via the PC's system memory.

In addition, all these applications have very large user bases, which makes it easier for hackers to find targets.

Why PCs have so much outdated software varies. Sometimes it's because the update process is too cumbersome, so they don't bother. Other times, the vendor is slow in fixing flaws that hackers are already targeting. Updating Java, an open platform for running software on any operating, system has been a pain for a long time. However, Java steward Oracle is working to improve the process and is getting updates out quicker, most experts agree.

In 2012, Adobe had the worst record for updating applications, according to Secunia. The software maker released patches at a rate 80% slower than in 2011, based on the time it took the vendor to release updates of vulnerabilities reported by Secunia.

Overall, though, patch speed for third-party apps is increasing, Secunia said:

In fact, in 2012, 84% of vulnerabilities had patches available on the day of disclosure. In 2011, the number was only 72%. The most likely explanation for this improvement in ‘time-to-patch’ is that more researchers coordinate their vulnerability reports with vendors.

Patching Is Critical

The vendor based its study on 6 million PCs, mostly in the U.S. and Europe, running its freeware called Personal Software Inspector, which checks for application vulnerabilities. Microsoft products accounted for 35% of the programs on the PCs.

If you take Secunia's study seriously, then the takeaway is clear. Even if patching all your software is getting more complicated,  making sure everything is always up to date is more important than ever.

Image by Fredric Paul.