According to data that Qualys Inc. culled from scans of more than 80 million machines, between 5% and 20% of all systems are never patched for any vulnerabilities, including those disclosed by Microsoft in its monthly security updates.
Qualys, a provider of on-demand IT security systems, tracked four vulnerability bulletins issued by Microsoft in 2008 and in each case found that a sizable fraction of the PCs it scanned had not been patched, even though in some cases more than a year had passed since Microsoft issued fixes.
The four updates, all labeled "critical" by Microsoft when they were released, included the following:
* MS01-001, a two-patch update in January 2008 that plugged holes in .
* , a single February 2008 patch for Windows' WebDAV Mini-Redirector, which defines how basic file functions such as Copy, Move, Delete and Create are performed using HTTP.