When it comes to software, newer is better—at least in terms of security.
That’s not to say that newer versions of operating systems don’t sometimes represent a step backward in terms of functionality—looking in your direction, Windows Vista—but newer products released by tech companies almost always patch vulnerabilities present in older versions. As a result, a user with recently released software updated to the most recent version is, in general, going to be a more difficult for target for hackers than someone whose programs are out-of-date.
The problem is that not everyone keeps their software current. According to a report released on Tuesday by the cybersecurity firm Duo Security, most Windows users are running older versions of software riddled with security flaws that, in many cases, have been known to hackers for years.
A point of weakness
Duo Security researchers analyzed the software installed on some 2 million devices, nearly two-thirds of which were running Microsoft operating systems, and found 65 percent of Windows users were running Windows 7—a 7-year-old operating system that lacks many of the security features found in Windows 10.
“In that history, seven calendar years later, we’ve seen about 600 publicly cataloged security vulnerabilities that have existed in Windows 7,” Mike Hanley, the director of Duo’s cybersecurity research team, told the Daily Dot. “Those range in severity, but when you do the math there, that’s close to 10 security issues every single month that have to get patched. There is certainly a maintenance concern there. If you haven’t kept up with those security patches, you’ve issued yourself a cumulatively worse amount of pain over time.”
Hanley noted that the tools Due used for its analysis didn’t allow company researchers to check what percentage of Windows 7 users were current patching their systems. However, he speculated, based on the frequency with which users updated other pieces of software he was able monitor, there are a lot of people out there with major holes in their security.
The report found that some users were even running Windows XP, which stopped receiving security updates from Microsoft in 2014. “We also found that tens of thousands of endpoints we analyzed are still running Windows XP and the browser IE 7 & 8, which no longer receive security updates,” Duo’s researchers noted in the report. “Released in 2001, Windows XP has over 700 reported vulnerabilities, with over 200 rated as high-to-critical severity, using the Common Vulnerability Scoring System (CVSS) industry standard for scoring vulnerabilities.”
The massive 2013 data breach at Target that exposed the credit card information of over 100 million of the retailer’s customers was reportedly the result of hackers using a decade-old exploit in the Windows XP operating system running on the company’s point-of-sale system. Had Target upgraded its cashier system to Windows 7, which did not have that same vulnerability because it had been fixed by Microsoft’s programmers, the breach likely would have never occurred.
While Windows 7 still receives regular security updates, according to Hanley, it lags behind Windows 10 in its ability to get users to actually install updates. Microsoft’s newer operating system does a much better job in this regard, which is good, but leaves users on the company’s older operating systems at a higher risk of running unpatched software. “They’ve made significant advances in prompting users as well as …[making updates] a less painful experience,” he said. “The problem is that was not true seven years ago when Windows 7 was released, so they have a lot of people who are lagging behind.”
Out-of-date web browsers are also major vector for attackers looking to compromise users’ devices. Duo found that only 3 three percent of the devices running a Microsoft OS are using the most recently released, and most secure, product—Microsoft Edge. Eighty percent were using Internet Explorer 11. The remaining swath of devices were running Internet Explorer versions 8, 9, or 10. All of these older iterations of Internet Explorer have stopped receiving security updates.
Researchers found that nearly 62 percent of devices were using Microsoft’s Internet Explorer with an out-of-date version of Flash. The adoption rate for more recent versions Flash are higher for Google Chrome and Microsoft Edge—89 percent and 67 percent, respectively.
“Those don’t get patches anymore and previously the rate at which they were issuing Internet Explorer patches was about ten vulnerabilities a month that were getting patched by Microsoft,” Hanley said. “For a three-year running average, you had about 150 vulnerabilities per year discovered in Internet Explorer over the last three years.”
The report praised Chrome for doing a good job of keeping users updated behind the scenes, installing the most recent security features without requiring users to seek out updates on their own or even click a button to approve most updates.
An easy lift
Finally, the report noted that, simply by publicly announcing and patching software vulnerabilities, companies are effectively tipping hackers to security holes that can be exploited in attacks against users who don’t install the updates. The new vulnerabilities revealed in upgrade patches are often added to the exploit kits used by hackers to break into system within weeks of being made public.
“People have to remember that attackers are rational people; they are trying to make the maximum amount of profit for the least amount of work,” Hanley said. “If I’m a bad guy and I know I can get really high yield from a vulnerability that exists on an operating system that’s several years old or on a browser that hasn’t been patched in years, I’m going to do that because it’s probably significantly less expensive, and probably significantly lower effort, for me given the returns I’ll get on that.”
In short, the best you can do is always update your software immediately and upgrade to new operating systems when developers stop paying attention to them.