Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/29/2016
04:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

US PC Users Making Some Progress in Patching Software Vulnerabilities, But Significant Challenges Remain

Private Microsoft(R) Windows(R) users patching their operating systems more diligently - but the same cannot be said of Apple(R) QuickTime(R) and Oracle(R) Java(R) users.

Itasca, IL. – April 26, 2016. Flexera Software, the leading provider of next-generation software licensing, compliance, security and installation solutions for application producers and enterprises today has published Country Reports covering Q1 2016 for 14 countries. The reports, compiled by the Flexera Software’s Secunia Research team, provide status on vulnerable software products on private PCs in those countries, listing the vulnerable applications and ranking them by the extent to which they expose those PCs to hackers.

Key findings in the US Country Report include:

·         Unpatched Microsoft Windows Operating Systems on the Decline: The percentage of  private PCs with unpatched operating systems (Windows 7, Windows 8, Windows 10, Windows Vista) in the US is on the decline.  As of the end of Q1 2016, 6.5 percent of users had unpatched Windows operating systems, compared to 14 percent at the same time last year.

·         Apple QuickTime Users Slower to Patch: 63 percent of US private users have not patched their Apple QuickTime 7.x software.  This number is up from 55 percent in Q4 2015.

·         Slight Increase in Instances of Unpatched Oracle Java: 42 percent of US private users were running unpatched versions of Oracle Java JRE 1.8x/8.x.  This is a slight increase from 39 percent in Q4 2015.

Users Applying Operating System Patches More Diligently

The decrease in unpatched Microsoft Windows operating systems is encouraging given the large number of Windows operating system vulnerabilities recorded in 2015, as reported in Flexera Software’s recently published Vulnerability Review 2016[1].  “Criminals use vulnerabilities as attack vectors to illegally gain entry into systems,” said Kasper Lindgaard, Director of Secunia Research at Flexera Software.  “Companies and individuals can substantially reduce the likelihood of a successful attack by diligently applying vulnerability patches as soon as they become available.  Based on the data reflected in today’s Country Report, it would appear that private users are, indeed, becoming more diligent at patching their Windows operating systems.”

Unpatched Java Programs on the Rise

The statistics regarding Java, on the other hand, are less encouraging.  At 42 percent unpatched and 45 percent market share, Oracle Java JRE 1.8x/8x was the product with the second highest risk exposure in Q1 2016, up from 39 percent unpatched in Q4, 2015.  Oracle did issue a critical Java patch release on March 23, 2016. In addition, Secunia Research at Flexera Software issued a Security Advisory on the Java vulnerability on March 10, with a Criticality Rating of Highly Critical – so the percentage of unpatched Java programs may decline in the future.

“A Criticality Rating of ‘Highly Critical’ is typically reserved for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure.” added Lindgaard.  “Despite our warnings and the availability of a patch, a significant percentage of private Java users remain vulnerable.”

To help users stay secure Flexera Software offers the Personal Software Inspector (formerly Secunia PSI 3.0), a free computer security scanner which identifies software applications that are insecure and in need of security updates. It has been downloaded by over 8 million PC users globally to detect vulnerable and outdated programs and plug-ins. 

The 14 Country Reports are based on data from scans by the Personal Software Inspector between January 1, 2016 and March 31, 2016.

- # # # -

Resources:

Learn more about:

·         Vulnerability Intelligence Manager

·         Corporate Software Inspector

·         Personal Software Inspector

Follow us on…

·         on LinkedIn

·         on Twitter

·         on Facebook

·         on Google+

·         via RSS


About Flexera Software

Flexera Software helps application producers and enterprises increase application usage and security, enhancing the value they derive from their software.  Our software licensing, compliance, cybersecurity and installation solutions are essential to ensure continuous licensing compliance, optimized software investments, and to future-proof businesses against the risks and costs of constantly changing technology.  A marketplace leader for more than 25 years, 80,000+ customers turn to Flexera Software as a trusted and neutral source of knowledge and expertise, and for the automation and intelligence designed into our products. For more information, please go to: www.flexerasoftware.com.

For more information, contact:

Flexera Software

John Lipsey
+1 (224) 465-9139
[email protected]

 

*All third-party trademarks are the property of their respective owners.

 



[1] The report catalogued vulnerabilities across Windows 10, which was released in 2015), Windows 8, Windows 7 and Windows Vista.  Windows XP went End of Life in April 2014 and therefore new vulnerabilities in the OS are not recorded.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32693
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
CVE-2021-32424
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
CVE-2021-32426
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
CVE-2021-32694
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
CVE-2021-32695
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...