65% of Windows devices still running Windows 7, released in 2009
To analyze the current state of device security, Duo Security analyzed more than two million devices, 63 percent of which were running Microsoft operating systems.
Seriously outdated Windows versions
Researchers found that 65 percent of all Windows devices are running Windows 7, affected by approximately 600 security vulnerabilities.
To make things even more dangerous, tens of thousand of devices are still running Windows XP 15 years after its release. This represents more than 700 vulnerabilities, 200 of which are rated as high-to-critical.
“There are numerous reasons why companies continue to stick with older operating systems like Windows 7,” said Ajay Arora, CEO of Vera. “Reasons can range from the cost it takes to update every computer, or the software they are currently using might not translate to newer operating system and environments.”
“If companies chose to continue to use Windows 7 and operating systems that lack features such as, no default disk encryption to protect data on lost devices and no file-level encryption to protect data as it leaves the corporate network, they need to consider using security software that do. It comes down to, spending the money to address the underlying issue of using an operating system with weaker security, spending money to update the operating systems, or spending the money to secure the thing you are trying to protect in the first place; the data itself,” concluded Arora.
Twenty percent of devices running Internet Explorer are running unsupported versions 8, 9 and 10. IE versions 8 through 10 have reached end-of-life status without the ability to receive security patches, leaving them susceptible to old exploits.
Of all devices running Microsoft browsers, only 3% are using the latest, Edge.
- Nearly 62 percent of devices running IE have an old version of Flash installed potentially making them susceptible to compromise by an exploit kit containing code for Flash vulnerabilities.
- Ninety-eight percent of devices running IE have Java installed. Businesses have legacy and custom applications that rely on Java. Java remains a top target of attackers.
- Forty-two percent of all devices analyzed used Microsoft services, including Remote Desktop Protocol, Outlook Web Access, and Remote Desktop Gateway.
“Malicious actors rely on out-dated and up-patched software, including operating systems, so they can automate malware distribution because they can save time and money – thereby increasing their profits,” said Stephen Singam, Managing Director, Security Research at Distil Networks, told Help Net Security.
“Reports like this are alarming because there is clearly a dangerously high number of devices that are worth targeting. The likelihood of one of these devices being compromised and subsequently added to a botnet are high and the likelihood of the owner of the device knowing their device has been compromised is low,” Singam added.
To protect against the vulnerabilities discussed here, Duo recommends:
- Switch to modern browser platforms that are more secure such as Edge or those that update more frequently and automatically
- Run regular security updates as well as emergency patches
- Use device encryption, passwords and fingerprint ID
- Implement a two-factor authentication solution to protect systems and data
- Enable automatic updates for as much software as possible to make it easier for your users
- Disable Java and prevent Flash from running automatically on corporate devices, and enforce this on user-owned devices through endpoint access policies and controls.