We're going on a vuln hunt. We're going catch a big one: Researchers find Windows bugs dominate – but fixes are fast

A study of vulnerabilities - bugs that can be a gateway for malware or allow privilege escalation by an intruder - shows that Windows platforms have the most by far, but that they also tend to be fixed quickly, compared to Linux systems or appliances like routers, printers and scanners.

Kenna Security has published a report based on "vulnerability data culled from more than 9 million active assets across nearly 450 organizations," gathered by its cybersecurity research partner Cyentia Institute and based in part on data from automated vulnerability scanners.

Windows admins are more accustomed to regular reboots after decades of conditioning...

The issue which all businesses face is that huge numbers of vulnerabilities are reported - 18,000 a year in the CVE (Common Vulnerabilities and Exposures) list and others outside that list – and managing these is challenging. The severity and likelihood of exploitation varies so it is a matter of managing the risk intelligently to minimise bad outcomes. Only about 5 per cent of vulnerabilities actually have known exploits, according to the paper.

The researchers claim 45 per cent of vulnerabilities are patched within one month, 66 per cent within three months, and 20 per cent remain unfixed even after year. But how many of these are high risk? That question is not answered directly, but the research does say that two-thirds of businesses see either no change or a decrease in high risk vulnerabilities each month, so the overall picture is not too bad – at least for that two-thirds group.

The assets analysed mostly exclude mobile devices, leaving the top five most common platforms as Windows 10 (25.3 per cent), Linux (13.1 per cent), Cisco (11.2 per cent), Windows 7 (9.0 per cent) and Windows 2012 (6.6 per cent). It seems that businesses struggle to stay up to date: Windows Server 2016 at 4.1 per cent is only just ahead of Windows 2008, while Windows Server 2019 does not even feature in the list.

By the numbers

Windows devices dominate, therefore, with the bad news being that "a Windows-based asset typically has 119 vulnerabilities to manage in any given month" – compared to 32 for the Mac, 27 for Linux and 4 for appliances. This includes applications as well as operating system vulnerabilities, so the high number on Windows is not just about Microsoft, but also third-party applications. The result is that over 71 per cent of Windows devices have "at least one open high-risk vulnerability", compared to 40 per cent on Linux, 31 per cent on Mac and 30 per cent on appliances.

"The average Windows 10 PC has 14 weaponized bugs," said the researchers, while Windows 7 has 18.

While this sounds bad, the mitigation is that Microsoft platform assets get fixes faster than other platforms, according to the paper. "The half-life of vulnerabilities in a Windows system is 36 days," it reports. "For network appliances, that figure jumps to 369 days. Linux systems are slower to get fixed, with a half-life of 253 days. That seems strange, given the rapidity with which the open source community tends to fix serious security issues, but this data is from scanners observing what is deployed.

The researchers speculate that "Windows admins are more accustomed to regular reboots after decades of conditioning," while "tooling for managing Linux fleets at scale generally lags behind that of Windows."

The near-contradictory conclusion is that a predominantly Windows-based environment is both the most vulnerable in terms of known exploits and also the easiest on which to achieve rapid remediation.

Looking at the detail of the report, it is also notable that older Windows systems tend to be harder to keep secure, and that third-party Windows software gets fixed more slowly than Microsoft software. "Just say no to bloatware" is one conclusion.

What does a well-managed business look like in terms of its asset vulnerability management? It is a tough problem, but there is evidence here for the benefit of culling devices running old version of Windows, minimising the number of applications, and paying attention to all systems including Linux servers and appliances as this is where vulnerabilities tend to persist for the longest time.

This is only one part of the security puzzle though. Counting exploitable vulnerabilities does not equate to evaluating the real-world risk. Desktop computers are more vulnerable not only because of the number of exploits, but also because there is a person sitting there browsing the internet and clicking on stuff. The researchers applaud Microsoft's efforts, saying: "We see Microsoft Windows systems achieving impressive levels of remediation performance. Kudos to Apple as well."

There is a reason for that though, which is that these systems are high risk to run.®