The Danish provider of vulnerability assessment software pointed the finger at weaknesses in commercial vulnerability-scanning tools as the culprit.
Those products focus on vulnerabilities in network services, weak passwords and open shares in only the 20 to 50 most used applications deployed in corporate environments, the report said.
The typical network environment contains a wide range of applications, including home-grown ones, not covered by the commercial products that are left open to vulnerabilities, the report said.
Beta tests of Secunia's new Network Software Inspector by 1,600 IT administrators indicated that 28 per cent of the applications on the corporate systems scanned during the beta program were vulnerable to exploits. Secunia has said its new product can detect potential security problems - most notably, critical security patches - in more than 4,000 applications.
Microsoft products in corporate environments "appear to be updated fairly regularly," due mostly to widespread awareness of the monthly Patch Tuesday round of security fixes from Microsoft, Secunia reported.
The picture is even more grim at the end user desktop, the report said. In the five months the company's free online Secunia Software Inspector desktop application scanning tool has been available, it found that 1.4 million of the 4.9 million applications on end-user PCs scanned were missing critical security patches from vendors.
An official from the Danish security vendor could not be reached for comment.
Among the major offending applications: 33 per cent of all QuickTime 7 and 27 per cent of all Winamp 5 installations are missing important security updates and are vulnerable to exploits, the report said.
On the positive side, Secunia reported that users of the Firefox and Opera browsers remember to keep their software updated more than Internet Explorer users. Only five per cent of Firefox 2 and 13 percent of Opera 9.x installations miss security updates; the corresponding numbers for Internet Explorer 6/7 are 10 percent and five per cent, respectively.
Jakob Balle, Secunia IT development manager, said on the Secunia Security Watchdog Blog that most end users seem unaware of the dangers or unwilling to find the time to fix flaws.
"While most people are aware of the need to update their anti-virus patterns and to raise their firewall shields, it appears that too many users either don’t know that their systems are vulnerable to significant issues or that they simply don’t want to spend the necessary time scouring for vulnerability information and the relevant vendor patches to properly address the issues," he said.
Secunia: Nearly a third of applications missing critical patches
By Jim Carr on May 21, 2007 4:11AM