Danish vulnerability tracker Secunia ApS has concluded that Apple Incorporated’s QuickTime is three times more likely to pose a threat than Microsoft Corporation’s Internet Explorer 6 and six times more likely to be a threat than Mozilla Corporation’s Firefox. According to an analysis of more than 350,000 system checks done over the last six months by the free Secunia Software Inspector, 33.1% of all QuickTime 7 installations weren’t up to date with security patches. AOL LLC’s Winamp, was almost as likely to be outdated: 27% of Winamp 5 installations were missing needed security fixes. In comparison, IE 6 installations lacked one or more patches, while just 5.2% of Firefox 2 deployments needed updating. Secunia’s data shows that outside of operating systems and browsers, users neglect regular patching.
“This constitutes a significant problem. Most people wouldn’t hesitate to open an .mpg, .jpg, .mov or .mp3 file from any source if it seems the least bit interesting and relevant. It’s easy to embed a movie in your home page, for example, and all it takes is one unpatched QuickTime vulnerability and a provocative video title to compromise a lot of visitors,” said Jakob Balle, Secunia’s development manager.
Researchers regularly identify vulnerabilities in QuickTime and Winamp. Secunia’s own database, for example, pins 10 bugs on QuickTime 7, Winamp 5 sports 11 vulnerabilities. There are fairly recent bugs as well, but fixes for all have been released. Balle said that scans of business computers for unpatched applications reveal the same user behaviour that inspections of consumer computers expose. Although the free Software Inspector remains available, Secunia is also pushing a server-side edition, dubbed Network Software Inspector.