As the number of software vulnerabilities increases, and people connect across personal and corporate devices using a multitude of different platforms each day, time and time again, patch management has proven to be one of the most effective practices users can take in securing their PCs. But it’s also a complex one, given the number of endpoints and applications at work in today’s computing environment—and there are millions of vulnerable machines out there as a result.
In support of National Cyber Security Awareness Month (NCSAM), Secunia, in its latest quarterly Country Report, noted that vigilant patch management is a path that’s open to IT organizations and end users alike, thanks to timely updates from software vendors. In fact, 86% of vulnerabilities in the Top 50 software applications on private PCs had patches available on the day of disclosure last year.
However, the percentage of unpatched systems continues to increase. The firm found that the percentage of users running unpatched operating systems has gone up to 12.6%, from 11.1% last quarter. And, users running unpatched end-of-life programs is also up, reaching 5.7% from 4.9% last quarter.
“It only takes one vulnerability for a hacker to exploit a user’s system. Just one. We are concerned to see such a high share of users with unpatched and end-of-life browsers and operating systems,” said Kasper Lindgaard, director of research at Secunia, in a statement. “We hope that as part of National Cyber Security Awareness month, users will take a moment to make sure their systems are up to date with the most recent program versions and patches. These are free and readily available to consumers.”
The most exposed software packages meanwhile come from the usual suspects. For instance, with a market share of 73%, Microsoft’s Internet Explorer had 218 vulnerabilities in the last quarter, with 11% of installed programs unpatched.
In addition, Oracle Java 7 had 145 vulnerabilities and 42% of installed programs unpatched—a particular issue considering that 66% of users have it installed on their machines.
Also, Apple QuickTime 7 had 11 vulnerabilities and 33% of installed programs unpatched; and Adobe Reader 10 had 21 vulnerabilities and 230% of installed programs unpatched.
The facts may seem boneheaded, but the sheer amount of updates and tracking required for adequate patch management requires a lot of effort. “The hard fact is that professionals responsible for IT security and operations know that patching all things is not feasible,” said Marcelo Pereira, business developer at Secunia, in a blog. “Nevertheless, it cannot be disputed that knowing the security status of applications running on machines, servers and other devices communicating with the network is critical to making decisions to mitigate the risk of a security incident.”
The principle of reducing the attack surface for cybercriminals is a foundation stone for a solid IT and information security strategy.
“We should all work with the assumption that a breach is inevitable,” said Pereira. “Therefore, we must be prepared to identify, and take actions to contain, breaches. And, of course, the larger the attack surface, the larger the risk - and consequently the more complex and challenging it is to solve incidents and avoid the consequences of a successful breach.”