A report out today on the state of endpoint device health shows that businesses today still face plenty of challenges in limiting the number of risky devices roaming in and out of their corporate networks.
Conducted by Duo Security and based on the 2 million devices utilizing its two-factor authentication platform, the study took a look at the condition of the operating systems and some of the apps on the devices logging into business environments. The results show that a sizable number of devices connect using devices containing out-of-date and even unsupported versions that introduce to business environments the risk of exploitation of vulnerabilities found in these versions.
Mac Users More Up-To-Date Than Windows....
The study showed that 53% of Mac OS users are running either the fully patched, latest version of OS X or the previous version, while just 35% of Windows users are on Windows 10 or Windows 8.1. As the researchers noted, there's still lots of vulnerable Mac devices out there and contrary to popular belief, these out-of-date endpoints are open to nasty privilege escalation vulnerabilities, among others.
...But More Macs Running Unsupported OS Versions
Even though the total percentage of out-of-date Windows devices outstrips similar Mac devices, Mac has more of a problem with users running completely unsupported OS versions. Duo found that among its sample of users, 8% of Apple users are running unsupported versions, while just 2% of Windows users are running unsupported operating systems.
Sizable Number Of Windows Devices Running Unsupported Versions of IE
A full quarter of Windows devices continue to run outdated and unsupported versions of Internet Explorer. More scary is the fact that at least half of all devices still running Windows XP are using IE 7 or IE 8. Overall, about 58% of all Windows devices are running the latest version of IE or Edge.
Google Chrome Users Have Best Update Track Record
Meanwhile, Google Chrome users tend to have the best track record for keeping their browser updated, with 82% of all Chrome users running the most up-to-date version of the browser, followed next by 66% of Firefox users running up-to-date browsers. Safari lags behind all others, with under half of those browsers fully up-to-date.
Majority Of Flash And Java Installs Out-Of-Date
Flash has overcome Java as the application most favored by zero-day exploits, but attackers don't even need to invest in expensive zero-day attacks to take advantage of either piece of software. This study shows that 60% of Flash users and 72% of Java users represented in this sample were running out-of-date versions.
"While critical Flash and Java vulnerabilities often prompt emergency vendor patches, users still run outdated software on the devices used to log into their company applications that can put entire organizations at risk," the report notes.
Java Plug-ins Falling Out Of Favor; Flash, Not So Much
First the good news. The study notes that it appears that Java plug-ins are finally starting to be retired on a large scale. According to this study, 78% of devices had Java uninstalled. Researchers attribute Oracle's plans to deprecate the plug-in with JDK 9's update and the fact that Java is no longer a default install for browsers. However, Flash is hardly anywhere close to dead. Only about 20% of devices have Flash uninstalled. Expect the bad guys to keep hammering Flash in the year to come.