Microsoft® Windows OS vulnerabilities appear to be stabilising after year-long decrease, while non-Windows application vulnerabilities still on the rise
These conclusions can be drawn from just-released Country Reports covering Q3 2016 for 12 countries, published by Secunia Research at Flexera Software, the leading provider of Software Vulnerability Management Solutions. The reports provide status on vulnerable software products on private PCs in 12 countries, listing the vulnerable applications and ranking them by the extent to which they expose those PCs to hackers.
Key Findings in the U.K. Country Report Include:
- 6.4 percent of users had unpatched Windows operating systems in Q3 of 2016, up from 5.4 percent in Q2 of 2016 and down from 7.9 percent in Q3, 2015.
- 12.8 percent of users had unpatched non-Microsoft programmes in Q3, 2016, up from 12.6 percent in Q2 of 2016 and 11.3 percent in Q3 of 2015.
- The top three most exposed programmes for Q3, 2016 were Oracle Java JRE 1.8.x / 8.x. (45 percent unpatched, 41 percent market share, 57 vulnerabilities), Apple iTunes 12.x (44 percent unpatched, 39 percent market share, 50 vulnerabilities), and VLC Media Player 2.x (45 percent unpatched, 36 percent market share, 7 vulnerabilities).
Level of Unpatched Windows Operating Systems Stabilizing
Though the level of unpatched private PC Windows operating systems may tick up or down from quarter to quarter, it appears to be stabilising at lower levels compared to this time last year. Time will tell whether this trend continues, but Microsoft’s recent announcement moving to a roll-up model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 updates may help. Microsoft says all supported versions of Windows will now follow a similar update servicing model, bringing a more consistent and simplified servicing experience.
“We will be tracking this closely to determine whether the recent declines in unpatched Windows operating systems are a blip or indicative of a long term trend,” said Kasper Lindgaard, Director of Secunia Research at Flexera Software. “If it is a trend, the consumer will ultimately benefit by the reduced attack surface that hackers can exploit within the Windows OS.”
The Attack Surface for Non-Microsoft Applications Continues to Grow
The security news was not all rosy for private PC users. The level of unpatched non-Microsoft programmes continues its upward trend. The reasons are likely due to the process consumers must utilise to implement security patches. Microsoft is standardising its patch process and automation across its entire application portfolio. In contrast, each non-Microsoft vendor may have its own patch process – requiring the user to be much more knowledgeable and diligent. And according to the 2016 Vulnerability Review, non-Microsoft programs represent 60 percent of the applications on a computer.
“Most users do not devote the time and attention necessary to keep up-to-date with the latest security patches across all the applications on their PCs. And for non-Windows applications, it takes more effort,” added Lindgaard. “This why automated patch management systems like Corporate Software Inspector for enterprises, and Personal Software Inspectorfor consumers, are so important.”
The 12 Country Reports are based on data from scans by Personal Software Inspector between July 1, 2016 and September 30, 2016.