While it can often be difficult to get two people to agree on something on this pale blue dot of ours, there is probably little doubt that outdated third-party software poses a considerable security risk. The best way to mitigate this risk is by always ensuring that you’re running the latest version of such third-party apps. But we all know it’s easier said than done. This is where Secunia’s Personal Software Inspector (PSI) tool comes in. Hit the jump for more.
Secunia said in its report that its findings reinforce the notion that “a high market share correlates with a high number of vulnerabilities.” It found that third-party vulnerabilities far exceed first-party vulnerabilities found in a typical end-user PC with 26 3rd party apps. The tables have turned as the reverse was true five years ago.
Although the total number of vulnerabilities in all the products covered by Secunia has remained stagnant since 2005, those affecting a typical end-user PC are growing at an alarming rate.
“In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760,” Secunia said in its report.
Everyone has different reasons for exposing Windows security flaws. Some do it for avenging a fellow security researcher's insult, others to bring home the bacon. Unlike the Microsoft -Spurned Researcher Collective, which falls in the former category, Danish security firm Secunia's motivation is purely pecuniary.
“The vulnerability is caused due to a boundary error in the "UpdateFrameTitleForDocument()" function of the CFrameWnd class in mfc42.dll. This can be exploited to cause a stack-based buffer overflow by passing an overly long title string argument to the affected function,” Secunia said on its site.
According to group manager Jerry Bryant, “Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP.” However, he is unaware of any attacks based on the vulnerability.
Do you download updates and plug up your Windows install every 5 days? According to security service vendor Secunia, such is the burden the average Windows user faces.
"It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching," said Thomas Kristensen, the chief security officer of Secunia
Secunia came by its numbers by analyzing the results of its Personal Software Inspector (PSI), a free tool that scans PCs and compiles a list of potentially vulnerable software. According to Secunia, half of those who ran the program in January had 66 or more programs from 22 or more different vendors on their machines, which was also concerning to the company.
"That's why we called for software vendors to create a unified patching standard last year," said Kristensen. "A few vendors said 'We want to hear more,' but a lot just ignored us or turned down the idea outright."
So you've just downloaded that hip new open-source replacement for your favorite paid-for application and you're ready to crack it open and unleash all the awesome community-driven features contained inside. Well, if this application is Songbird, you might want to hold off for a moment. A recent blog post by the application's developers has revealed that the media player's iPod add-on does more than just transfer music to your device. It also has the potential to corrupt or otherwise delete music straight from your hardware device. Yikes!
Bugs are the bane of any software, but they can especially affect the open-source world in unpleasant ways. Read on to find out what we mean -- but first, unplug your iPod!