back to article Most of 2016's holes had fixes the day we knew about 'em. Did we patch? Did we @£$%

Patching rates went down in 2016 despite an increase in availability of security patches, according to a new study out today. Last year Secunia Research at Flexera Software recorded a total of 17,147 vulnerabilities in 2,136 products from 246 vendors. Even though a big majority (81 per cent) of all vulnerabilities had patches …

  1. Little Mouse Silver badge

    Three out of Four Adobe Reader users don't patch?

    That's a self-selecting group, surely?

    Anyone with the sense & know-how to religiously apply all Adobe patches isn't the sort of person to be running Adobe software in the first place...

    1. bombastic bob Silver badge
      Devil

      Re: Three out of Four Adobe Reader users don't patch?

      time to use a different reader (like Evince maybe?)

      1. theblackhand

        Re: Three out of Four Adobe Reader users don't patch?

        Surely today's patched Adobe Reader is tomorrow's security flaw so the statistic should be 100% of Adobe Reader users are vulnerable...

        1. grumpyoldeyore
          Unhappy

          Re: Three out of Four Adobe Reader users don't patch?

          Sadly I've had to install Reader DC for some technical review work, and I've found myself back in XKCD land https://xkcd.com/1197/

  2. Rich 11 Silver badge
    Black Helicopters

    Hmm...

    Other findings in the Vulnerability Review 2017 confirm trends from previous years: The number of zero-day vulnerabilities (22) was a bit lower than the 26 recorded in 2015.

    Well, that's because the TLA's are hoarding them, obviously.

  3. Mike 16 Silver badge

    Why do we patch, or not?

    Offer a starving man a moose-turd pie, and watch him hesitate. The typical "update", even (especially?) a "security critical" one is as likely to contain corporate or state malware as it is to actually fix something. To be fair, sometimes they do actually fix something, typically something a competitor (Google/Apple/MSFT/FSB) was using...

    In an ideal world, "Security fixes" would be exactly, and only, that. No software equivalent of the "Omnibus puppies and motherhood (and indefinite pretrial detention and unlimited expense accounts for MPs) act". In the real world, modern software is so full of bizarre dependencies that it is entirely plausible that deprecating a particular encryption suite will break the ability to display cat videos in other than 4:3 aspect ratio, or some such.

    1. Cardinal
      Happy

      Re: Why do we patch, or not?

      @Mike 16

      "Offer a starving man a moose-turd pie, and watch him hesitate."

      Lovely image - Made me chuckle anyway.

      Like your Parliamentary Act as well.

      1. Charles 9 Silver badge

        Re: Why do we patch, or not?

        Offer an EMACIATED starving man a moose-turd pie and watch him scarf it down. If you can't be sure of your next meal, anything to stave off starvarion. You see it all the time in animals.

        1. Cardinal

          Re: Why do we patch, or not?

          @Charles 9

          The 'hesitation' bit was the chuckle inducing part - For me anyway.

          1. Charles 9 Silver badge

            Re: Why do we patch, or not?

            But it's NOT chuckle-worthy. If it's eat a moose turd pie or DIE, guess what happens?

    2. David 132 Silver badge

      Re: Why do we patch, or not?

      Mike 16: Amen to that. I couldn't agree more.

      Microsoft, Apple and the other software vendors have rather stupidly decided to poison the update mechanism with marketing-related "upgrades".

      So yes, I will be aware that I am running a known-vulnerable version of software. I'll also be aware that if I choose to patch that vulnerability, I'll also get unwanted crap too - the new, secure, patched version will have also acquired the ability to show me adverts, "telemetry", mandatory TwitFaceGram integration, and as you mentioned, probably a state-sponsored backdoor or two as well.

      0.00001% chance of being hacked (especially if I observe basic secure browsing habits) if I don't patch, vs. near-100% chance of my OS or app changing in unwanted ways if I do... gee, yes, I'd hesitate.

      1. John Brown (no body) Silver badge

        Re: Why do we patch, or not?

        "0.00001% chance of being hacked (especially if I observe basic secure browsing habits) if I don't patch, vs. near-100% chance of my OS or app changing in unwanted ways if I do... gee, yes, I'd hesitate."

        Not to mention that even average users using Android are becoming aware of data slurping when PlayStore app updates inform you that $simple_app now wants access to your phone ID, contacts list etc. so are being conditioned to be suspicious of all updates.

  4. adam 40 Silver badge
    Big Brother

    Not a Member of the Monoculture

    It's well known that infections spread best in monocultures.

    Computer viruses, trojans and worms would surely follow that maxim.

    Stay out of the monoculture, turn off all updates (and sometimes manually patch the occasional really nasty ones) and you'll be an unattractive target for the scriptkiddie's bot-botnets.

    Not to mention the bloatware listed above requiring more and more memory and eventually a hardware upgrade....

    1. a_yank_lurker Silver badge

      Re: Not a Member of the Monoculture

      Agree with staying out the monoculture whenever possible but one should be aware that not all vulnerabilities are OS specific. Being fully patched is a must for reasonable security even for Linux users (I am one).

      1. Charles 9 Silver badge

        Re: Not a Member of the Monoculture

        And even that isn't always sufficient if recent government leaks are any indication, as it seems clear states covet zero-days for any and all OS's in operation.

  5. JustinFitz

    Patching software ?

    Adobe makes patching hard, updates are well hidden on their FTP server. I use the free PDQ Deploy across my network to apply patches and [shameless plug] I have AuditQi a program I've developed to track the versions of apps I've open sourced this application under a GPL3 license, just google "AuditQi" for download info and the wiki.

    This allows me to identify when patches are failing on some machines and need manual troubleshooting as they sometimes do and other useful machine related info memory, spare drive space etc.

    Its also helpful in letting me know who is logged in and broadly what apps are most used. AuditQi does require running an agent on machines to collect info and a MySQL backend for storage so some setup is required but a dedicated server isn't. I'm hoping this might be of interest to some. [end plug]

  6. Terry 6 Silver badge

    True but probably irrelevant

    Yes, patching has been poisoned by the vendors taking the piss and misusing the process..

    Yes, aware members of the public may well be wary.

    But most of the public are simply clueless. They don't patch their devices for the same reason they don't floss their teeth. A mix of ignorance and laziness.

  7. EnviableOne Silver badge
    Holmes

    Patch me if you can

    Being fully patched, may expose you to MS FB and all the slurp factories, but it has the advantage, that you have a far smaller attack surface to worry about,

    ie 22 vulnerabilities in a year rather than the 17,147

    and it makes the script kiddies nigh on impotent, as they don't have the skill or inclination to go after the Zero-Days.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021