Unpatched software abounds on user systems

Scott dunn By Scott Dunn

Readers of the Aug. 16 issue of Windows Secrets took our advice and used the Secunia Software Inspector service in droves.

The results show that — even though our readers are more tech-savvy than the average computer user — thousands of you apparently still use computers with unpatched software.

Software Inspector finds many unpatched apps

After we recommended that our readers use Secunia.com’s Software Inspector, the link we provided was clicked more than 63,000 times. The service scans PCs for applications that lack available security patches.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



Secunia.com provides us with aggregate counts of the number of products installed and the percentage that are unpatched. No personal information is collected. Table 1, below, shows the top 20 unpatched applications installed on the systems of Windows Secrets readers. (Several readers ran the scan more than once, which is why some apps show up more than 63,000 times.)

The figures reveal that many people haven’t patched their media players and other run-time software: Java, Flash, QuickTime, Adobe Reader, and RealPlayer. This exposes you to infected media files. I’ll explain below how you can keep these apps patched and your computer safer.

Table 1. Unpatched products on Windows Secrets readers’ systems.


Product
Number
installed

Percent
unpatched

Number
unpatched

Java JRE 1.6.x/6.x
70,860
38.08
26,983
Java JRE 1.5.x/5.x
60,465
98.84
59,764
Flash Player 9.x
73,256
62.03
45,441
Flash Player 8.x
14,885
99.84
14,861
Flash Player 7.x
14,659
99.88
14,641
Flash Player 6.x
19,179
76.47
14,666
Flash Player 5.x
8,683
99.85
8,670
Flash Player 4.x
3,745
99.92
3,742
QuickTime 7.x
28,752
33.85
9,733
QuickTime 6.x
3,944
99.87
3,939
Internet Explorer 7.x
41,914
10.16
4,258
Internet Explorer 6.x
14,008
20.33
2,848
Adobe Reader 7.x
29,767
11.89
3,539
Adobe Reader 5.x
2,956
99.90
2,953
WinZip 8.x
3,715
99.87
3,710
Firefox 2.0.x
25,981
14.71
3,822
RealPlayer 10.x
16,471
16.73
2,756
RealPlayer 6
2,213
97.65
2,161
Yahoo! Messenger 8.x
4,417
44.78
1,978
Winamp 5.x
5,700
34.25
1,952

How to keep your system up to date

Reducing security risks on your system means keeping all of your applications up to date, not just the operating system. To do that, you need a two-pronged approach.

First, if you’re not using Windows’ Automatic Updates feature, run Microsoft Update once a month after Patch Tuesday (the second Tuesday of each month, when Microsoft releases security updates). If possible, install Microsoft’s patches after you read the Windows Secrets Newsletter on the Thursday after Patch Tuesday. We may report glitches you should avoid, while still ensuring that you can install the latest Microsoft Windows and Office security updates within two days of their release.

Second, consider turning on the auto-update feature of your individual applications to make sure they’re updated regularly. See my Aug. 16 story for details on how to do this.

Understandably, many people (particularly in companies with thousands of users) don’t want auto-updating turned on for every user. Companies often prefer to test individual updates before everyone in the organization adopts them.

If you prefer this more cautious approach, use the Secunia Software Inspector once a month to tell you what applications have patches available. Then update the individual applications manually (after running your usual research-and-test regimen).

Enterprises can run Secunia’s Network Software Inspector, a commercial application that has recently emerged from beta testing. The program reportedly scans PCs for more than 4,000 applications and versions.

For information on removing out-of-date software, see this week’s installment of Known Issues.

Get an automatic reminder to check for updates

The biggest challenge in manually checking for reminders is remembering to do it on a regular basis. Fortunately, Windows’ Scheduled Tasks accessory can help out.

How to schedule an update reminder in Windows XP

You can make Scheduled Tasks run a script that launches Internet Explorer 7 with Microsoft Update in one tab and Secunia Software Inspector in another. I use IE 7 in this example because Microsoft Update won’t run in most other browsers, such as Mozilla Firefox. The technique shown below is adapted from a Windows Scripting Host script published by Tony Schreiner in his MSDN blog.

Step 1. Open your favorite text editor, such as Notepad. Type or paste in the following five lines:

var navOpenInBackgroundTab = 0×1000;
var oIE = new ActiveXObject(“InternetExplorer.Application”);
oIE.Navigate2(“http://update.microsoft.com”);
oIE.Navigate2(“http://secunia.com/software_inspector/”, navOpenInBackgroundTab);
oIE.Visible = true;

Step 2: Save the file with a .js extension. For example, I named mine Update-me.js.

Step 3: Choose Start, All Programs, Accessories, System Tools, Scheduled Tasks.

Step 4: In the Scheduled Tasks window, double-click Add Scheduled Task.

Step 5: In the Scheduled Task Wizard, click Next. Then click Browse.

Step 6: Locate and select Wscript.exe in Windows’ System32 folder. (Or just type c:WindowsSystem32Wscript.exe in the File name box; your path may differ.) Click Open.

Step 7: In the next step of the wizard, select Monthly and click Next.

Step 8: Specify a start time. Select the second radio button and specify the second Tuesday. Leave all months checked. Click Next.

Step 9: Enter your account name and password for an administrator account. (Only administrators can install updates.) Click Next.

Step 10: Check the box for opening advanced properties and click Finish.

Step 11: When the Wscript Properties dialog box opens, click at the end of the line in the Run box. Type a space followed by the path to your script (.js) file. If the path includes spaces or long names, put it in quotation marks. For example, when you’re done, the finished command should read something like this:

c:windowssystem32wscript.exe “C:My Documentsupdate-me.js”

Step 12: Click OK. Enter your account name and password again, if prompted. Click OK.

As long as you are logged in as an administrator on the appropriate day, Scheduled Tasks will open a browser with these two sites, reminding you of this important chore.

How to schedule an update reminder in Windows Vista

The Microsoft Update site in Vista has been replaced by a Control Panel applet. To automate the reminder in Vista, you’ll need to set up two automated processes: one for patching Windows, and another for launching a browser showing the Secunia Software Inspector.

Follow these steps to run Windows Update once a month after Patch Tuesday:

Step 1: Choose Start, type Task Scheduler, and press Enter. Click to confirm User Account Control.

Step 2: In the far right pane, click Create Basic Task.

Step 3: In the Create Basic Task Wizard, type the name of your task and (optionally) a description. Click Next.

Step 4: Select Monthly and click Next.

Step 5: Specify a start date. For Months, choose Select All Months in the pop-up menu. Click On and specify the Second Tuesday. Click Next.

Step 6: Leave Start a program selected and click Next.

Step 7: For Program/script, type c:WindowsSystem32Wuapp.exe (your path may differ).

Step 8: Click Next and then click Finish.

Follow these steps to run Software Inspector once a month after Patch Tuesday:

Step 1: Follow steps 1 through 6 above but specify a different task name in Step 3.

Step 2: For Program/script, specify the path to your preferred Web browser. In the Add arguments (optional) box, type http://secunia.com/software_inspector/.

Step 3: Click Next and then click Finish.

Windows will launch these tasks on the appropriate day, reminding you to proceed with your checks.

Protecting your system involves many tools, including antimalware tools and regular system updates. Adding Secunia Software Inspector to your toolbox, you can help ensure that your major add-ins are patched in addition to Windows.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.
= Paid content

All Windows Secrets articles posted on 2007-09-06: