Old versions of Flash, Java, and Internet Explorer on Windows continue to create a soft underbelly for the enterprise, according to a new study by authentication firm Duo Security.
Microsoft might have clocked up 400 million Windows 10 users, but 65 percent of Windows machines in the enterprise are still running Windows 7, which if un-patched could be exposed to 600 security bugs known to affect the operating system, according to Duo Security.
The report from Duo Security, a provider of enterprise authentication software, serves as a reminder for Microsoft customers to be mindful of end-of-support deadlines for legacy Windows and Internet Explorer amid Microsoft’s switch to Windows 10 and its Edge browser.
Duo Security’s analysis shows that enterprise might be out of kilter with Microsoft’s transition, with just 3 percent running Edge, while older versions of IE aren’t receiving patches. As of January, Microsoft stopped patching all browsers below IE 11.
Duo looked at 2 million customer devices and turned up 63 percent running some version of Windows. The figure highlights Apple’s incursion on the enterprise, with OS X running 21 percent and iOS 10 percent of devices in the study.
Meanwhile, Windows 7’s dominant share reflects the challenges Microsoft faces in upgrading enterprise customers to the latest security features in Windows 10, in some ways mirroring Google’s problems delivering new security features to Android users in the consumer and enterprise space. Overall, just 18 percent of mobile devices that connect to Google Play run Android 6.0 Marshmallow.
“The majority of users on Microsoft operating systems and browsers are failing to take advantage of the latest and greatest security updates and capabilities, leaving them open to potential attacks,” said Mike Hanley, Duo’s director of security.
The research also found “tens of thousands” of devices still running Windows XP, which Microsoft stopped patching in April 2014.
But perhaps the bigger weakness to enterprise are outdated versions of Internet Explorer (IE) as Microsoft presses on with Edge. Duo reported that 20 percent of all devices are running Internet Explorer (IE) 10 to 8.
Narrowing the field down further, Duo found that 62 percent of devices with some version of IE also were running old versions of Flash Player. Microsoft’s own telemetry data indicates Flash is the prime target for web attacks.
It also found that 98 percent of devices running IE have Java installed. While Java has taken a back seat to Flash as the preferred means of attacking Windows PCs, it highlights a unique threat to enterprise organizations that continue to run Java to support legacy business applications.