A typical home Windows user patches their computers on average once every 4.9 days, according to a ComputerWorldarticle. Citing the security company Secunia (which offers a free personal Software Inspector (PSI) that "will inspect your operating system and software for insecure versions and missing security updates"), the ComputerWorld article states that half of the people using PSI during the last week of January "had 66 or more programs from 22 or more different vendors on their computers."
I took a quick look at my home PC, and I have well over 150 application programs on it from more than 70 vendors - but I have had my machine for awhile.
Doing some further analysis based upon an estimated 300 security vulnerabilities a user faces each year, Secunia says it determined that a typical home PC user experienced about 75 patch incidents annually, or about once every 4.9 days. Of course, this isn't like clockwork - my experience is that when one major security fix is made, say from Microsoft, several others immediately follow from other vendors. I find that I may need to patch and restart my machine a couple of times a day and then for the next week or two, nothing happens, and then another cluster of security patches appears.
Also, I have a couple of "normal" application software upgrades per month, and I don't know whether these upgrades are part of Secunia's count.
Secunia said that it was surprised at how many applications people have on their systems and how many security updates a typical user faced. I would be interested in an informal count of application programs and different vendors on Risk Factor readers' home machines. Are 66 programs/22 vendors typical on your machine?
The patch count might go up shortly, at least for Windows XP users.
On Monday, another story in ComputerWorld said that Microsoft is telling XP users not to use the F1 key when browsing the Web using Internet Explorer because of an unpatched vulnerability that could allow hackers to hijack their machines. Customers who are running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are not at risk. The next scheduled Microsoft patch Tuesday is March 9th, but no word on whether this flaw will be patched then or not.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.