England expects... you to patch your apps and not just Windows

We're getting better at fixing Microsoft's OS but not so much with applications

Brits are getting better at patching Windows on their personal computers but worse at updating their applications, according to a new study.

Stats from vulnerability management outfit Secunia Research reveal that 6.4 per cent of UK users had unpatched Windows operating systems in Q3 of 2016, up from 5.4 per cent in Q2 but down from 7.9 per cent a year ago in Q3 2015. By comparison, 12.8 per cent of computer users in Blighty had unpatched non-Microsoft programs in Q3 2016, up from 12.6 per cent in Q2 of 2016 and 11.3 per cent in Q3 of 2015.

The top three poorly-patched programs in Q3 2016 were Oracle Java JRE (45 per cent of installations unpatched, 57 vulnerabilities), Apple iTunes (44 per cent unpatched, 50 vulnerabilities), and VLC Media Player (45 per cent unpatched, 7 vulnerabilities).

The figures further underline a longer-term trend of flaws in non-Microsoft software, such as Java and (of course) Adobe Flash, becoming a greater vulnerability risk than flaws in Microsoft Windows itself.

Redmond's decision to move towards offering cumulative roll-up updates for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 updates is likely to further simplify patching thereby encouraging more users to potentially run more secure systems.

“We will be tracking this closely to determine whether the recent declines in unpatched Windows operating systems are a blip or indicative of a long term trend,” said Kasper Lindgaard, director of Secunia Research at Flexera Software. “If it is a trend, the consumer will ultimately benefit by the reduced attack surface that hackers can exploit within the Windows OS.”

A separate study from authentication firm Duo Security, also published on Tuesday, claims that 65 per cent of all Windows devices are running Windows 7, which released in 2009. Approximately 600 security vulnerabilities have hit Windows 7 over its lifetime. Tens of thousand of devices are still running Windows XP 15 years after its release, and long after Redmond consigned it to the trashcan.

Twenty percent of devices running Internet Explorer (IE) are running unsupported versions 8, 9 and 10, we're told. IE versions 8 through 10 have reached end-of-life status without the ability to receive security patches, leaving them wide open to exploitation. Of all devices running Microsoft browsers, only three per cent are using the latest: Edge. Nearly 62 percent of devices running IE have an old version of Flash installed, leaving them susceptible to compromise by hackers brandishing exploits that abuse Flash and JavaScript engine bugs to push malware onto poorly patched PCs.

Third party, fire and hack

Secunia Research reckons the high levels of unpatched non-Microsoft programs is because different packages have different ways of downloading and applying updates – which is, ultimately, confusing for users.

“Microsoft is standardising its patch process and automation across its entire application portfolio. In contrast, each non-Microsoft vendor may have its own patch process – requiring the user to be much more knowledgeable and diligent,” Secunia noted, adding that non-Microsoft programs represent 60 per cent of the code on a computer.

“Most users do not devote the time and attention necessary to keep up-to-date with the latest security patches across all the applications on their PCs. And for non-Windows applications, it takes more effort,” Lindgaard concluded.

Secunia’s stats are based on data from scans by consumers using its Personal Software Inspector patching inspection tool between the start of July and the end of September. ®

Biting the hand that feeds IT © 1998–2021