Self-patching Chrome, Windows 10 close security gaps but admin neglect leaves other apps exposed

Administrators creating hacker playground by failing to keep most applications and network equipment updated

Australian computer users and administrators are getting better at patching their Windows environments but are lagging when it comes to patching non-Microsoft applications and even non-Windows Microsoft products, recent audits of patching discipline have found amidst warnings that businesses are leaving their applications and networks wide open to attack.

Flexera Software's Secunia Research arm, which regularly tracks the patching status of systems protected by the vendor's Personal Software Inspector (PSI) tool, found that just 4.4 percent of Australian users were running on unpatched Windows platforms in Q2 of this year – down from 5.9 percent in the first quarter of this year and 12.4 percent in the results from a year ago.

The improvements may well be attributable to new patching techniques used in Windows 10, Secunia Research director Kasper Lindgaard noted in a statement in which he called the improvement “remarkable and encouraging”.

Users were far less diligent in patching other applications, however, with just 4.2 percent of unpatched Microsoft programs observed compared with 12.9 percent of unpatched non-Microsoft programs. This coincided with an increase in the percentage of non-Microsoft programs, from 40 percent last year to 47 percent this year.

Furthermore, some 6.7 percent of applications – out of the average 79 applications on the average PC – were past their end-of-life (EOL), meaning they are no longer being actively patched or supported. This was up from 5.7 percent a year ago, suggesting that many users are failing to update their applications as they get progressively older.

“The number of vulnerabilities just in the top three products underscores the vastness of the opportunity for hackers to gain entry into exposed systems, and the reason software vulnerability management is so essential,” said Lindgaard.

“If users install software but then ignore alerts and fail to initiate the patch process when a vulnerability is found, they will remain exposed to that vulnerability. That is very unfortunate and has the potential to result in a bad outcome.”

The most common EOL programs included Adobe Flash Player 21.x, Microsoft XML Core Services 4.x, Microsoft SQL Server 2005 Compact Edition and Apple QuickTime 7.x.

The research from Secunia – which also named a top-ten list of risky applications led by VLC Media Player 2.x, Oracle Java JRE 1.8.x and Apple iTunes 12.x – mirrored similar recent findings from Cisco's recent 2016 Midyear Cybersecurity Report, which warned on the escalating dangers of ransomware and identified a range of deficiencies in vulnerability patching.

Cisco found that Google Chrome, which uses auto-updating to regularly patch itself, had managed to get 60 to 85 percent of users running the most recent version; this corroborated Secunia's finding that 35 percent of users were still using the outdated Google Chrome 50.x.

“The role of protective security technology is, in part, to provide coverage during the vulnerability window that occurs before an organisation can patch its systems,” Cisco ANZ general manager of security Anthony Stitt said in a statement in which he highlighted the “extensive problem” caused by poor patching hygiene.

“Too often, once inside, threats are able to move around unseen for hundreds of days at a time. Practically every major breach is an example of this, which is demonstrative of the need for organisations to dramatically improve their ability to find ‘in-progress’ problems before they escalate.”

More than 23 percent of the systems Cisco examined – close to Secunia's finding of 14 percent – were still running the Oracle Java SE 6 – long ago replaced by Oracle, which is currently shipping v10. Cisco also identified problems with Microsoft Office 2013 installations, of which less than 10 percent of the population were running the newest service pack version.

End users were equally deficient when it came to patching their network equipment: Cisco's scan of over 103,000 Cisco devices found that each device had, on average, 28 known vulnerabilities and that they had been running these vulnerabilities for an average of 5.64 years.

More than 23 percent had vulnerabilities dating to 2011, around 16 percent still had vulnerabilities first published in 2009, and over 9 percent of devices still had known vulnerabilities that were more than 10 years old.

The findings suggested most companies keep their networks and applications in a steady state once they're configured and working – yet such devices, Cisco warned, “open up operational space to adversaries.”

“The more critical an application is to business operations, the less likely it is to be addressed frequently,” the analysis concluded, “creating gaps and opportunities for attackers.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Flexera Softwaresecurity gapsWindows 10hackerSelf-patching Chromenon-Microsoft applications

More about AppleCiscoFlexeraGoogleMicrosoftOraclePSISecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place