lolloj - Fotolia
A new industry report looking at the state of OS and application vulnerabilities and patching underscored the security risks of end-of-life software and once again declared Oracle Java the most vulnerable product.
The Secunia PSI Country Report, released quarterly, is based on scans by the Secunia Personal Security Inspector product.
In Q1 2015, Secunia found that 14% of PCs in the US running either Windows Vista, Windows 7, or Windows 8 were left unpatched, which does represent an uptick in unpatched OSes from Q4 of 2015. However,Craig Young, security researcher for Tripwire Inc, based in Portland, Ore., doesn't see this as a worrying trend.
"If you compare US 2014 Q1 (14.5%) with US 2015 Q1 (14%) and UK 2014 Q1 (12.1%) with UK 2015 Q1 (11.5%) there is actually a downtick in unpatched systems," Young noted. "I think that these numbers naturally fluctuate a few percentage points between quarters due to the varying OS release schedules."
The more important trend, according to Young, is that Oracle's Java is widely found by Secunia to be the least patched program. In the US, Oracle Java JRE 1.7.x/7.x had a market share of 54%, and 77% of all systems did not have the latest Java patches installed.
This marks the third straight quarter where Java was the number one unpatched program, and it is a trend that extends around the globe. Young said that this proves Java to be "something like the universal language of exploitation.
"This is a serious problem as various commercial exploit kits and even free exploit frameworks are constantly incorporating fully functional weaponized Java exploits, making these attacks available to even the least sophisticated attacker," Young said. "Java as well as Flash make powerful platforms for compromising targets as they are both commonly loaded by Web browsers, thereby increasing exposure to Web-based attack. "
Before Java took the dubious honor of the top spot, the most vulnerable was Microsoft XML Core Services (MSXML) 4.x, which had been atop the list of most vulnerable actively supported software going back at least to Q4 2012 (the oldest report Secunia has posted).
MSXML was moved off of that list in April 2014, when it hit its end-of-life (EOL), and now holds the number two spot on Secunia's list of end-of-life software that is still in use. Over the most-recent three quarters since its EOL, Secunia has found MSXML 4.x still installed on a majority of systems -- 76% in Q3 2014, 71% in Q4, and 70% in Q1 2015.
MSXML has been consistently number two on the EOL software list, because it has been unable to unseat Adobe Flash Player from the number one spot on that list, and each quarter is a new version of the Flash Player software on the list, because of fast update and EOL cycles.
Young worried that not only will EOL products not be patched, but users often never learn of newly discovered vulnerabilities and exploits in such software.
"The fact that there are so many EOL products installed on computers across the globe," Young said, "is why attackers and pen testers can have so much success exploiting old vulnerabilities."
Learn how to reduce the risks of Java security updates.