It should come as a surprise to no one that unpatched and end-of-life (EOL) software is a security risk. What is a surprise, however, is how many organizations in the U.S. continue to run unpatched software.
According to Flexera Software’s Q4 2016 Country Reports, 7.5 percent of users in the U.S. had unpatched Microsoft Windows operating systems.
Looking a level deeper, Flexera found that an average PC in the U.S. has 75 products installed. Out of those 75 products, 43 of them are non-Microsoft products and, on average, 14 percent of those 43 products are unpatched. While unpatched software is not a surprise, looking deeper in the data did provide an unexpected result for Kasper Lindgaard, Director of Research and Security at Flexera.
“There is still information which surprises me every time I see the reports,” Lindgaard told eWEEK. “Of the top 10 most exposed applications, approximately 50 percent of average PC users run unpatched vulnerable versions of the top four applications: Apple iTunes, Oracle Java, VLC Media Player and Adobe Reader.”
Lindgaard added that he’s particularly surprised that more users don’t patch Apple iTunes, Oracle Java, VLC Media Player and Adobe Reader, since in his view it is straight forward to download and apply security patches for those products.
Looking beyond just unpatched software is the issue of End-of-Life (EOL) software, for which vendors no longer provide patches, though users are still using the software. In the U.S., Flexera found that on the average PC, 7.4 percent of programs are EOL and no longer patched by the vendor. Among the EOL applications still running on end-user PCs is Adobe Flash Player 23.x. The currently supported version of Adobe Flash Player is version 24.x.
“This is highly critical, as Adobe Flash Player is one of the most targeted applications when it comes down to actively used exploits,” Lindgaard said.
Somewhat surprising is the fact that Flexera includes Google Chrome 54.x and 53.x among its’ top 10 EOL programs. Among the key features that Google has provided in Chrome since its first release is an automated updating mechanism that downloads updates. Lindgaard said that there could be several different explanation as to why older versions of Chrome are still found on user PCs.
“Either updates have been disabled, or the user is using more than one browser, and has at the time of the scan, not opened Google Chrome—and hence the automatic update hasn’t been applied,” Lindgaard said.
Flexera also provides country reports for the United Kingdom, France, Asia-Pacific (APAC) and the Nordic countries. Lindgaard noted overall the U.S. aligns closely with the world report with some small differences. For example, the U.S. is worse at applying patches to third-party applications and removing End-of-Life applications, but better at applying patches to the operating system.
“When it comes to the top 10 most exposed applications, eight of the applications are the same on the global and U.S. lists,” Lindgaard said.