Secunia Research revealed the state of security for PC users in a total of 14 countries, including the US. One in 20 applications on private US PCs are end-of-life and 12 percent of Windows operating systems are unpatched.
Key findings in the US include:
- 5.5 percent of applications on the average US PC have reached end-of-life, meaning they are no longer supported by the vendor and do not receive security updates. Adobe Flash Player 18, which was end-of-life as of September 22, 2015, is found on 80% of the PCs.
- Apple QuickTime 7.x and Apple iTunes 12.x tops the list as the US’ most exposed applications: QuickTime has a market share of 55% and 18 reported vulnerabilities, 61% of users have not installed the latest updates. iTunes has a market share of 40% and 106 reported vulnerabilities, and 47% of users have not installed the latest updates.
- Other applications in the top 10 include Adobe Reader, Oracle Java 8 and Mozilla Firefox.
The number of end-of-Life applications on private US PCs has been between five and six percent since Q3 2014 – in 2013 the number was between three and four percent. The problem with end-of-life applications from a security perspective is that the vendors of those applications no longer publish security updates to patch vulnerabilities as they are discovered in the product. Consequently, any vulnerability in an end-of-life application is an open door into any PC on which the application is installed.
“Hackers benefit from users’ failure to uninstall end-of-life applications, as the exploits they wrote for the old versions continue to work and continue to have value on the black market,” said Kasper Lindgaard, Director of Secunia Research at Flexera Software. “Too many users install and forget. Maintenance of software is not high on the radar of the average computer users, who tend to install whatever application they need to support whatever they need to do. They then tend to leave it sitting in their system, forgetting to uninstall or update it,” said Lindgaard.
From Q3 2014 to Q2 2015, Oracle Java topped the list of Most Exposed applications in the US Country Reports. The Most Exposed applications are ranked based on how widespread they are (“Market share”) multiplied by how many of their users have neglected to patch them (“Unpatched”) even though a patch was available.
Oracle Java drops down to number four as a result of two factors:
- Oracle 7 went end-of-life in April 2015, and therefore got parked on the end-of-life list, which doesn’t factor in patch status because all end-of-life applications are de facto insecure.
- Users are currently migrating to Oracle Java 8, but the 40 percent market share does not bring Oracle Java 8 to the top of the list.