I recently read over Flexera’s Vulnerability Review 2018: Top Desktop Apps report, and frankly, I’m not surprised by the findings. According to the research, 83% of vulnerabilities were rated extremely or highly critical. Also, a staggering 93% of those vulnerabilities could be exploited over the Internet. That’s a lot of holes!
These numbers took me back a bit, by far, the most shocking number was that 65% of of the vulnerabilities found were from non-MS software products. After thinking about this for a minute, it made to total sense to me though. I’ve been in IT for over 20 years now and have probably been responsible for patching hundreds of thousands of systems but the huge majority were for Microsoft products.
Whenever we think of patching desktops, that typically means anything we can approve in WSUS. This helps us get management off of our backs and pleases the regulators knowing that we can put that check in the form that says “Patching procedure in place?”. Due to Microsoft’s leadership in the corporate desktop space with their years of practice keeping their software patched, they’ve gotten pretty good at it.
What about the critical line of business app that Accounting depends on every day that hasn’t been updated in years? If you’re in the financial sector, for example, you probably have some old terminal emulation software running on clients that “are being phased out” and have been for the past five years!
Why do we not patch non-Microsoft apps? It’s not because IT simply doesn’t care about security. It’s because each software vendor seems to want to manage their software differently. Some have their own update mechanism, some simply send out emails to customers and post a link to the new installer on their website while some have went out of business all together.
I’ve personally been in meetings where the security team that controls the desktop antivius software wanted to use that vendor’s update mechanism while the software deployment team wanted all updates under one umbrella through Microsoft SCCM. It was a stalemate for awhile with the software deployment team eventually winning the argument. Situations like this come up all of the time unless an organization has a clear protocol on patching all desktop apps the same way.
Also, even if the organization does have a procedure in place to patch vulnerabilities, ops’ job is to keep services running at all times. Patching introduces change and change, to ops, is bad. Change is what may lead to downtime either at the server or problems on the client. This is reinforced through the tickets that IT gets from users when patches are installed and their machine reboots. No one wants more tickets!
The numbers in the Vulnerability Review were astounding to me but, as I’ve just mentioned, I realize why they are skewed. Patching will always be one of those “have to” tasks that IT must do and until Flexera or another company can get it through our thick IT skulls that it doesn’t have to be.