Oracle Java 'no longer the greatest risk' to US Windows PC users

Apple's Windows apps have leapfrogged Oracle Java as the biggest security risk to PCs in the US, according to a study by vulnerability management outfit Secunia (now a Flexera Software company).

(This shift is mainly down to the forced retirement of aging Java 7 rather than any improvement by Oracle.)

Secunia's latest quarterly report, seen by The Reg, is a snapshot of software security on PCs used by folks in the US and 14 other countries. For the first time in four consecutive quarters, Java 7 isn't topping the list of most dangerous programs: Apple apps have taken the lead in the third quarter of 2015.

Secunia ranks applications by how widespread they are used multiplied by how many of their users have neglected to patch vulnerabilities even though fixes were available.

Apple QuickTime 7.x and Apple iTunes 12.x top the list as the most exposed applications on US Windows PCs – a lot of people use them and not a lot of people are patching, in other words. (You don't need zero-days when machines wherever are packed with old-days.)

QuickTime has a market share of 55 per cent, 18 reported vulnerabilities, and 61 per cent of users did not install the latest updates, according to Secunia. iTunes has a market share of 40 per cent, 106 reported vulnerabilities, and 47 per cent of users did not apply the necessary fixes.

Java drops down to number four largely because Java 7 was end-of-lifed in April 2015, and therefore got parked on the end-of-life list. In addition, users are migrating to Java 8, but the 40 per cent market share does not bring Java 8 to the top of the list.

Other applications in the top 10 include Adobe Reader and Mozilla Firefox. One in eight Windows operating system installations were not up to date with patches.

About one in 20 application installations on private US PCs are at their end-of-life, according to Secunia. That means the packages are no longer supported by the vendor and do not receive security updates. As a result any vulnerability in an end-of-life application is an open door into any PC on which the application is installed.

The number of end-of-life applications on private US PCs has been between five and six percent since Q3 2014. In 2013 the number was between three and four per cent.

"Hackers benefit from users' failure to uninstall end-of-life applications, as the exploits they wrote for the old versions continue to work and continue to have value on the black market," said Kasper Lindgaard, director of Secunia Research at Flexera Software.

"Too many users install and forget. Maintenance of software is not high on the radar of average computer users, who tend to install whatever application they need to support whatever they need to do. They then tend to leave it sitting in their system, forgetting to uninstall or update it," he added.

The 76 applications on the average US PC come from 27 different vendors and as many different update mechanisms, creating a huge patching headache in the process.

The study is based on data from scans by the Personal Software Inspector (formerly Secunia PSI 3.0), between 1 October 2014 and 30 September 2015. The freebie security scanner identifies software applications or plugins that are insecure and in need of patching. ®