The latest in user security metrics shows that only five percent of surveyed systems were fully up to date, with all applications patched and running the latest versions.

Even more disconcerting, that number is down from where it was when the firm first started doing examinations.

Secunia, the Danish security firm posted a free utility called Secunia Personal Software Inspector (PSI) in December 2006. The first report on user findings came in May 2007, when it reported 28 percent of all applications scanned by PSI were not secure, meaning they were older versions or there were security fixes available for the application that had yet to be installed.

In December, the company reported that 20 percent of applications scanned by PSI were not secure. One month later, with a year of collected data from the most recent 20,000 users to download Secunia PSI, the company found that just five percent of the computers scanned were fully patched and up to date.

Twenty seven percent had between one and five insecure applications, 25 percent had between six and 10 insecure apps, and 41 percent of computers scanned had 11 or more out of date, old or unpatched applications.

Thomas Kristensen, CTO of Secunia, says the software vendors should be more aggressive about telling users about these new versions. "The major problem here is nobody knows there is a security update," he told InternetNews.com. "No one knows there's an update for Opera or OpenOffice. Very few apps are like Firefox, which pops up a window and says there's a new version available, would you like to upgrade?"

The only way people would know about security patches is by going to advisory sites like Secunia's or each application vendor they use, and most users probably don't care to do that.

He also said firms have to get better about handling upgrades. He lauded Adobe for changing its installer policy with the Acrobat Reader. Previously, when a new version was installed, it left the older versions. Recently, however, Acrobat Reader began removing traces of previous versions on installation.

Sun, however, was singled out for leaving multiple versions of the Java Runtime Environment (JRE) and Java 2 Standard Edition (J2SE) installs on a computer. "Sun ought to do a much better job of informing users of what's happening and they ought to clean up the old versions unless it's required for compatibility issues," said Kristensen. "It really is unnecessary to leave three, five, seven versions of Sun software on a computer."

This article was first published on InternetNews.com. To read the full article, click here.