Survey: Microsoft patches ignored

[InfoSec News <alerts () infosecnews org>]

http://www.gcn.com/online/vol1_no1/46535-1.html

By Jabulani Leffall
Special to GCN
06/24/08 

The results of an online test conducted by U.K. anti-virus firm Sophos 
found that more often than not, PC users don't install Microsoft's 
monthly patches.

The results, released on Monday, were gathered from 40 days' worth of 
data from a sample group of 580 PCs in corporate environments, 80 
percent of which failed one or more basic security tests.

Moreover, 63 percent were found lacking at least one Microsoft patch on 
the OS level, the Office and application levels, or the browser and 
media player component levels.

Bill Emerick, Sophos' vice president of product management, said in a 
prepared statement, "Machines that fail such a test represent 
'low-hanging fruit' for cybercriminals and [are] a real danger to their 
corporate networks."

But according to Randy Abrams, director of technical education for IT 
consultancy ESET, these reports can sometimes be like "two blind men, 
touching different parts of an elephant. [They] may get the same 
results, but it doesn't cover the whole body."

"I think we have to remember that the sample sets and control groups in 
tests like these need to be taken into consideration," said Abrams, 
himself a former Microsoft security pro. "That said, we don't need a 
survey to tell us that people are lax about patching their systems. I 
think the evidence of that is that there are far fewer zero-day or new 
patches than there are those that are responding to a direct set of 
vulnerabilities."

[...]


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com