Unpatched end-of-life programmes with vulnerabilities are attack vectors hackers can exploit
These conclusions can be drawn from just-released Country Reports covering Q4 2016 for 12 countries, published by Secunia Research at Flexera Software, the leading provider of Software Vulnerability Management Solutions. The reports provide status on vulnerable software products on private PCs in 12 countries, listing the vulnerable applications and ranking them by the extent to which they expose those PCs to hackers.
“Software Vulnerability Management is an effective strategy for minimising the attack surface by enabling people and organisations to identify known vulnerabilities on their devices, prioritise those risks based on the criticality of the vulnerabilities, and mitigate those risks via automated patch management systems,” said Kasper Lindgaard, Director of Secunia Research at Flexera Software. “But risk remains if unsupported, end-of-life programmes containing vulnerabilities are running. Private PC users should continually scan their devices and remove end-of-life programmes from their systems. Within a business setting, security teams should collaborate closely with their Software Asset Management teams to discover and inventory their application estate and remove any unsupported, end-of life programmes.”
Other Key Findings in the Country Report Include:
- 7.2 percent of users had unpatched Windows operating systems in Q4 of 2016, up from 6.4 percent in Q3 of 2016 and down from 8.0 percent in Q4, 2015.
- 12.5 percent of users had unpatched non-Microsoft programmes in Q4, 2016, down from 12.8 percent in Q3 of 2016 and up from 11.4 percent in Q4 of 2015.
- The top three most exposed programmes for Q4 2016 were Apple iTunes 12.x (53 percent unpatched, 39 percent market share, 29 vulnerabilities), Oracle Java JRE 1.8.x / 8.x (45 percent unpatched, 41 percent market share, 39 vulnerabilities), and VLC Media Player 2.x (36 percent unpatched, 37 percent market share, 5 vulnerabilities).
The 12 Country Reports are based on data from scans by Personal Software Inspector between October 1, 2016 and December 31, 2016.