Patching really does work

I’ve been wanting to do a study like this for a long time. I’m glad someone else finally did:

The German Federal Office for Information Security (BSI) previously recommended that users should keep their Windows systems up to date, should ideally use Google Chrome and should avoid using Java at all if possible. The efficacy of these simple protection measures has now been demonstrated in a study carried out by the BSI. It used two different Windows systems to visit a total of 100 web sites hosting drive-by downloads (malicious code which spreads primarily by exploiting security vulnerabilities).

Unsurprisingly (to me, if not to certain security cynics), keeping your browser and plug-ins patched (and disabling Java if not in use) is effective in most instances:

The results speak for themselves, with the vulnerable system picking up 36 infections from visiting infected websites, whilst the system configured according to BSI recommendations picked up none.

The message is clear: teaching users a few basics, like how (and why) to keep their browser and plugins up to date, can dramatically reduce users’ risk of infection.

(hat tip to Denis Sinegubko for the link)