Secunia pushes security patches without vendor consent

Secunia plans to package PC security updates in single automatic mechanism -- whether software companies like it or not

Staying current with patches and updates is a key component of keeping a computer secure, but the majority of workers are not diligent about updating their home computers. In the age of consumers using their own devices and cloud services in the workplace, the lack of up-to-date software can pose a security problem for companies.

Part of the problem is that consumers' default behavior is to click no to any update request. In addition, the dozen vendors that make the most popular 50 programs found on desktops have a hodgepodge of update mechanisms, making it difficult for users to know the status of their systems, says security firm Secunia. While 72 percent of vulnerabilities reported in 2011 had a readily available patch at the time of public announcement, about half of all endpoints have one or more unpatched vulnerabilities, the company says.

"If (updating) requires more than a simple OK, then users won't do it," says Thomas Kristensen, chief security officer for Secunia.

On Monday, Secunia announced a new simplified version of its Personal Software Inspector that will package security updates from the most popular software vendors into a single automated update mechanism. The approach is controversial because the company is not first asking developers for permission.

"For years, we have tried to push out information on patch levels so that software companies would have better updates," says Kristensen. "The vendors failed to commit."

Wrapping an update in a tailored installer has caused controversy in the past, mainly because firms repackaging software often did it for non-altruistic reasons. Late last year, security experts took CNET's to task for bundling other companies' software with the installers for open source applications.

Yet for a personal computer to stay atop patching schedules, the software vendor must already have an automated update process or a service must repackage the updates, says Kristensen. The technique is baked into almost every Linux distribution, for example, allowing users to refresh all software on the system with a single utility.

Secunia plans to question any software vendor that takes issue with its automatic update service as to why the developer does not automatically update users on its own. Microsoft and Adobe, for example, both already automatically patch their users.

Secunia plans to seek out partners, such as Internet service providers and banks, that want to increase the security of their users. In addition, the lessons that Secunia learns from its free PSI 3.0 product will make their way into its enterprise security product.

This story, "Secunia pushes security patches without vendor consent," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.