Australian computer users and administrators are getting better at patching their Windows environments but are lagging when it comes to patching non-Microsoft applications and even non-Windows Microsoft products, recent audits of patching discipline have found amidst warnings that businesses are leaving their applications and networks wide open to attack.
Flexera Software's Secunia Research arm, which regularly tracks the patching status of systems protected by the vendor's Personal Software Inspector (PSI) tool, found that just 4.4 percent of Australian users were running on unpatched Windows platforms in Q2 of this year – down from 5.9 percent in the first quarter of this year and 12.4 percent in the results from a year ago.
The improvements may well be attributable to new patching techniques used in Windows 10, Secunia Research director Kasper Lindgaard noted in a statement in which he called the improvement “remarkable and encouraging”.
Users were far less diligent in patching other applications, however, with just 4.2 percent of unpatched Microsoft programs observed compared with 12.9 percent of unpatched non-Microsoft programs. This coincided with an increase in the percentage of non-Microsoft programs, from 40 percent last year to 47 percent this year.
Furthermore, some 6.7 percent of applications – out of the average 79 applications on the average PC – were past their end-of-life (EOL), meaning they are no longer being actively patched or supported. This was up from 5.7 percent a year ago, suggesting that many users are failing to update their applications as they get progressively older.
“The number of vulnerabilities just in the top three products underscores the vastness of the opportunity for hackers to gain entry into exposed systems, and the reason software vulnerability management is so essential,” said Lindgaard.
“If users install software but then ignore alerts and fail to initiate the patch process when a vulnerability is found, they will remain exposed to that vulnerability. That is very unfortunate and has the potential to result in a bad outcome.”
The most common EOL programs included Adobe Flash Player 21.x, Microsoft XML Core Services 4.x, Microsoft SQL Server 2005 Compact Edition and Apple QuickTime 7.x.
The research from Secunia – which also named a top-ten list of risky applications led by VLC Media Player 2.x, Oracle Java JRE 1.8.x and Apple iTunes 12.x – mirrored similar recent findings from Cisco's recent 2016 Midyear Cybersecurity Report, which warned on the escalating dangers of ransomware and identified a range of deficiencies in vulnerability patching.
Cisco found that Google Chrome, which uses auto-updating to regularly patch itself, had managed to get 60 to 85 percent of users running the most recent version; this corroborated Secunia's finding that 35 percent of users were still using the outdated Google Chrome 50.x.
“The role of protective security technology is, in part, to provide coverage during the vulnerability window that occurs before an organisation can patch its systems,” Cisco ANZ general manager of security Anthony Stitt said in a statement in which he highlighted the “extensive problem” caused by poor patching hygiene.
“Too often, once inside, threats are able to move around unseen for hundreds of days at a time. Practically every major breach is an example of this, which is demonstrative of the need for organisations to dramatically improve their ability to find ‘in-progress’ problems before they escalate.”
More than 23 percent of the systems Cisco examined – close to Secunia's finding of 14 percent – were still running the Oracle Java SE 6 – long ago replaced by Oracle, which is currently shipping v10. Cisco also identified problems with Microsoft Office 2013 installations, of which less than 10 percent of the population were running the newest service pack version.
End users were equally deficient when it came to patching their network equipment: Cisco's scan of over 103,000 Cisco devices found that each device had, on average, 28 known vulnerabilities and that they had been running these vulnerabilities for an average of 5.64 years.
More than 23 percent had vulnerabilities dating to 2011, around 16 percent still had vulnerabilities first published in 2009, and over 9 percent of devices still had known vulnerabilities that were more than 10 years old.
The findings suggested most companies keep their networks and applications in a steady state once they're configured and working – yet such devices, Cisco warned, “open up operational space to adversaries.”
“The more critical an application is to business operations, the less likely it is to be addressed frequently,” the analysis concluded, “creating gaps and opportunities for attackers.”