“ The average Windows 10 PC has 14 militarized bugs ”
Keeping systems patched against known exploits is a challenge
A study of vulnerabilities – bugs that can be a gateway for malware or allow an escalation of privileges by an intruder – shows that Windows platforms have by far the most, but that they also tend to be fixed quickly, compared to Linux systems or appliances like routers, printers and scanners.
Kenna Security a published a report based on “vulnerability data extracted from more than 9 million assets active in nearly 450 organizations”, collected by its cybersecurity research partner Cyentia Institute and based in part on data from automated vulnerability analyzers.
Windows administrators are more used to regular reboots after decades of conditioning …
The problem facing all businesses is that a large number of vulnerabilities are reported – 18,000 per year in the CVE (Common Vulnerabilities and Exposures) listing and others outside this list – and managing them is difficult. The severity and the probability of exploitation vary so it is a question of managing the risk intelligently in order to minimize the bad results. According to the newspaper, only 5% of the vulnerabilities actually have known exploits.
Researchers say that 45% of vulnerabilities are corrected in one month, 66% in three months and 20% are not corrected even after a year. But how many of them are at high risk? This question is not answered directly, but research indicates that two-thirds of businesses see no change or decrease in high-risk vulnerabilities each month, so the overall picture is not too bad – at least for this two-thirds group.
Assets analyzed mainly exclude mobile devices, leaving the five most common platforms like Windows 10 (25.3%), Linux (13.1%), Cisco (11.2%), Windows 7 (9.0 %) and Windows 2012 (6.6 percent). It seems companies are struggling to stay up to date: Windows Server 2016 at 4.1% is only just ahead of Windows 2008, while Windows Server 2019 isn't even on the list.
Windows devices therefore dominate, the bad news being that “a Windows asset generally has 119 vulnerabilities to manage in a given month” – against 32 for the Mac, 27 for Linux and 4 for appliances. This includes applications as well as operating system vulnerabilities, so the high number on Windows does not only affect Microsoft, but also third-party applications. As a result, more than 71% of Windows devices have “at least one open high-risk vulnerability”, compared to 40% on Linux, 31% on Mac and 30% on appliances.
“The average Windows 10 PC has 14 armed bugs,” the researchers said, while Windows 7 has 18.
Although it sounds bad, the mitigation is that Microsoft platform assets get fixes faster than other platforms, the document said. “The half-life of vulnerabilities in a Windows system is 36 days,” he reports. “For network appliances, that number drops to 369 days. Linux systems are slower to repair, with a half-life of 253 days. This sounds strange, given how quickly the open source community tends to resolve serious security concerns, but this data comes from scanners observing what is deployed.
Researchers believe that “Windows administrators are more used to regular reboots after decades of conditioning,” while “large-scale Linux fleet management tools tend to lag behind Windows.”
The almost contradictory conclusion is that a predominantly Windows environment is both the most vulnerable in terms of known exploits and also the easiest to get a quick fix.
Looking at the details of the report, it is also noticeable that older Windows systems tend to be more difficult to secure, and third-party Windows software is corrected more slowly than Microsoft software. “Just say no to bloatware” is a conclusion.
What does a well-managed business look like in terms of managing the vulnerability of its assets? This is a difficult problem, but there is evidence here of the benefit of removing devices running the old version of Windows, minimizing the number of applications, and paying attention to all systems, including servers and Linux appliances, because this is where the vulnerabilities tend to persist for the longest.
However, this is only part of the security puzzle. Counting exploitable vulnerabilities does not mean assessing the real risk. Desktop computers are more vulnerable not only because of the number of exploits, but also because there is a person sitting around browsing the Internet and clicking on items. Researchers applaud Microsoft's efforts, saying, “We see Microsoft Windows systems achieving impressive levels of correction performance. Congratulations to Apple, too.”
However, there is a reason for this: these systems pose a high risk of working.
Office 365 client-to-client migration tips