This seven-year-old version of the software is leaving users open to 600 security vulnerabilities.
Nearly two-thirds (65 percent) of all Windows devices are running Windows 7, which was released in 2009. This seven-year-old version of the software is leaving enterprises open to 600 security vulnerabilities.
New research from Duo Security analysed more than two million devices, 63 percent of which were running Microsoft operating systems. The results indicate that many devices are running old and unsupported versions of software.
Tens of thousands of devices are still running Windows XP, after having been released 15 years ago. This represents over 700 vulnerabilities, where 200 of them are rated as high-to-critical.
One in five devices running Internet Explorer (IE) are running unsupported versions 8, 9 and 10. These versions have reached end-of-life status without the ability to receive security patches, which leaves them susceptible to old exploits. Of all devices running Microsoft browsers, only three percent are using the latest, Edge.
Mike Hanley, director of security at Duo told us: “There is a relatively large population of Internet Explorer users that haven't patched in over a year. Either users aren't enabling automatic updates or the other item is they're potentially using the browser with the applications that might only support those particular versions of browsers. Many customers don't do a good job of calculating what the cost of a breach is. They think it's cheaper to risk a breach, but in fact the opposite is quite true.”
Nearly 62 percent of devices running IE have an old version of Flash installed, which potentially makes them susceptible to compromise by an exploit kit containing code for Flash vulnerabilities.
Almost all (98 percent) of devices running IE have Java installed. Java remains a top target of attackers as businesses have legacy and custom applications that rely on it.
Hanley told SC, “Bad guys are focused as well. They want to launch attacks that they know will make them money and don't require a lot of effort. A lot of these industries that are generally further behind on an option of new technology and new security capabilities are ripe for the taking. When you see week after week of ransomware reports, what I think we can all do a better job of is talking about how we can take better advantage of updates or this particular set of browser protections that would've made it much, much harder for a bad guy to land.”
To protect against vulnerabilities, the research recommends the following:
- Switch to modern browser platforms that are more secure (Edge) or those that update more frequently and automatically (Google Chrome)
- Run regular security updates as well as emergency patches
- Use device encryption, passwords and fingerprint ID
- Implement a two-factor authentication solution to protect systems and data
- Enable automatic updates for as much software as possible to make it easier for your users
- Disable Java and prevent Flash from running automatically on corporate devices, and enforce this on user-owned devices through endpoint access policies and controls
“The majority of users on Microsoft operating systems and browsers are failing to take advantage of the latest and greatest security updates and capabilities, leaving them open to potential attacks. This creates a risky proposition for out-of-date devices accessing sensitive cloud services and applications,” Hanley said.
“In this new world, the most critical aspect of an organisation's security program is securing access. This requires a security model where your users are strongly authenticated, their devices are secure and trustworthy, and you can protect access to all of your corporate applications, whether they're cloud-based, on-premises or hybrid,” said Jon Oberheide, CTO and co-founder at Duo Security.