The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft rolled out an emergency fix, a security expert said Thursday.
Based on scans of several hundred thousand customer-owned Windows PCs, Qualys concluded that about 30 percent of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067.
"The unpatched numbers went down significantly around the 30-day mark," said Wolfgang Kandek, Qualys' chief technology officer, "when less than 50 percent were unpatched. After that, it went down a little slower. As of yesterday, 30 percent of the machines are unpatched."
With nearly a third of all Windows systems still vulnerable, it's no surprise that the "Downadup" worm has been able to score such a success, Kandek said. "These slow [corporate] patch cycles are simply not acceptable," he said. "They lead directly to these high infection rates."
The Downadup worm, called "Conficker" by some researchers, surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003, and Server 2008.
Microsoft issued a patch in late October after confirming reports of in-the-wild attacks, most of them against machines in Asia.
On Tuesday, Microsoft laid at least some of the blame for the worm's success at the feet of Windows' users. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," said Cristian Craioveanu and Ziv Mador, researchers at Microsoft's Malware Protection Center, in a Tuesday blog post.
Kandek agreed with them. "This shows that a three-month patch cycle, which some companies use, is unacceptable," he said.