Could most computer attacks be stopped simply by keeping your software up to date?
Two recent studies of Windows PCs claim that up to 99 percent of malware infections could be prevented if users consistently updated their software. More surprisingly, the reports imply we could save the $40 to $80 cost of a yearly anti-virus subscription by instead keeping just five commonly used programs current and employing a standard firewall.
One study, done by Denmark's CSIS Security Group, examined 50 different malware exploit kits and roughly half a million user exposures to them.
Echoing the CSIS study, a security report published by the Bethesda, Md.-based SANS Institute noted that "...common misconfigurations and old attacks are far more of a concern to the security professional" than new zero-day exploits sold on the black market.
The CSIS study concluded that up to 99.8 percent of all virus and malware infections caused by commercial exploit kits are a direct result of failing to update five specific software packages: Java Runtime Engine, Adobe Acrobat/Reader, Adobe Flash, Microsoft Internet Explorer and Windows Help and Support.
Life in a bad neighborhood
Anti-virus experts say this isn't surprising, since these are among the most commonly used programs, which makes the software prime targets for attack.
"Malware writers will always look for vulnerabilities in the most frequently used software in order to maximize the chances of infecting as many people as possible," said Alexandru Catalin Cosoi, the global research director for Bucharest-based security firm Bitdefender.
Of course, software makers are continually working to fix any vulnerabilities as soon as they are discovered and then offer software updates and patches. So not performing an update can leave you unprotected, warned Cosoi.
Unfortunately, most people don't bother to download updates or set software to do it automatically. According to Prague-based security company Avast, as many as six out of 10 of its own subscribers have a vulnerable version of Adobe Acrobat.
Because of this, Jindrich Kubec, virus lab director at Avast, has referred to Acrobat as a "major threat."
The ways in which unpatched software can make consumers open to attack can be subtle. A case involving Spotify, the popular European music service that's now available in the United States, provides one example of how a Java exploit can work.
Last year, unbeknownst to the service, one of the ads the company had actually was running a Java application with malware attached. When the ad popped up, it infected unsuspecting listeners who believed they were safe running a legitimate program.
Java was not originally "designed with security in mind," noted Avast CTO Ondrej Vlcek, but it drives the Web and Web applications, often running in the background without the consumer even realizing it.
Is free good enough?
So perhaps Windows users should not only update all their software, but also avail themselves of the free protections available, such as Microsoft Security Essentials. Currently, PC owners have to go to the trouble of downloading and installing Microsoft's free anti-virus software, but it will be built into the forthcoming Windows 8 operating system.
"Home users need to understand that even though performing updates can seem annoying, spending a couple of minutes on recent patches can prevent them from becoming victims of financial fraud, data theft and extortion," advised Bitdefender's Cosoi.
However, just running Security Essentials may not be enough to prevent an infection. While the Microsoft program may be among the best of the free anti-virus software suites, its bare-bones approach may not be robust enough to stop the latest wave of sophisticated malware.
New vulnerabilities are constantly being discovered, "and the bad guys have no shortage of ways of finding new ones," says Ryan Permeh, principal security architect at Santa Clara, Calif.-based McAfee. "What you don't know can absolutely hurt you."
To provide maximum protection, consumers will need to keep their computer's main programs up to date — and, like it or not, purchase, download and install full-featured commercial anti-virus software and keep it current as well.