Given that it is National Cyber Security Awareness Month, now may be as good a time as any to reflect on just how many operating systems and applications are still run out there that are not likely to ever see much, if anything, in the way of a new security patch.
A new report from Secunia, a provider of IT security vulnerability management tools, shows how pervasive the problem has actually become. The report finds that the number of users running unpatched operating systems has gone up to 12.6 percent, a 1.5 percent increase over the previous quarter, while the number of users running applications after end-of-life support is now up to 5.7 percent; up from 4.9 percent last quarter.
The report also finds that the most exposed programs over the last quarter include Oracle Java 7 with 145 vulnerabilities and 42 percent of installed programs unpatched; Apple QuickTime 7 with 11 vulnerabilities and 33 percent of installed programs unpatched; and Adobe Reader 10 with 21 vulnerabilities and 30 percent of the installed programs unpatched.
Finally, Secunia reports that with 218 identified vulnerabilities, 11 percent of the Microsoft Internet Explorer installed are unpatched. Chances are high that organizations are running not only multiple instances of these operating systems and applications, there are probably organizations that are running multiple unpatched operating systems and applications. In fact, it’s estimated there are as many as 224 million instances of Windows XP still running. Microsoft is still providing security patches for Windows XP, but that is scheduled to come to an end next year.
Secunia is trying to encourage end users and IT service providers to Secunia is encouraging to download its Personal Security Inspector, a free IT security tool that detects vulnerable and outdated programs and plug-ins. Once installed, the Secunia PSI can help users automatically patch vulnerable programs.
As vendors move to reduce their support costs by declining to continue to support applications and operating systems that are long past their prime, the number of instances of unpatched products that IT service provider are going to see is likely to increase sharply. While the savvy IT service provider may not choose to support these unpatched operating systems and applications they still represent a threat to their profitability. It’s only a matter of time before these applications and operating systems get compromised. Invariably, those applications and operating systems are connected to other systems. As such, it’s also only a matter of time before these systems become vehicles for distributing malware to the rest of the organization.
Arguably, it’s in the best interest of IT service providers to go find those unpatched applications and operating systems running inside the organizations they support. More often than not, once alerted to the problem, most customers will move to upgrade or remove those applications and operating systems from their IT landscape. If they don’t, that’s also information an IT service provider needs to have. After all, any customer that isn’t willing to regularly patch their applications and operating systems probably isn’t a customer worth having.