We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,764 News Articles

Up to 20% of PCs never install security patches

Hackers exploit flaws months after fixes released

Hackers are exploiting software vulnerabilities months after they have been patched because not all PC users install the security updates, says Qualys.

According to data from the security firm, between five and 20 percent of all systems are never patched for any vulnerabilities, including those disclosed by Microsoft in its monthly security updates.

Qualys tracked four vulnerability bulletins issued by Microsoft in 2008 and in each case found that a sizable fraction of the PCs it scanned had not been patched, even though in some cases more than a year had passed since Microsoft issued fixes.

The four updates, all labeled 'critical' by Microsoft when they were released, included MS08-015, a one-fix update in March 2008 for a bug in Outlook, Microsoft's mail client, that could be exploited by tricking a user into visiting a malicious website, and MS08-021 - a two-patch update released in April 2008 for Windows GDI, or graphics device interface, a frequently-fixed core component of the operating system.

Even as late as this year, MS08-021 had not been applied to 20 percent of the PCs that Qualys scanned. The percentage of machines lacking the MS08-015 update, on the other hand, dipped at times to about 5 percent.

"It's difficult to say why they haven't been patched," said Wolfgang Kandek, Qualys' chief technology officer.

"It just baffles me. Some administrators are just doing their worst possible job patching."

Qualys' scans are conducted on machines owned by its clients, which are exclusively businesses - predominantly large companies.

"Either they don't care, or they don't have enough resources to patch every machine," Kandek speculated.

Because some machines are never patched, there is always a ready reserve of potential victims, even for aging malware, Kandek continued.

"Even very old worms can be successful," he said.

The notorious Conficker worm is a case in point. Though it's not old by any definition - it debuted in November 2008 and just came to prominence in January 2009 - Conficker's makers prey on PCs that have not been patched with an emergency update Microsoft issued last October.

Last week, even after a media blitz about the worm's April 1 trigger, nearly 20 percent of the PCs Qualys scanned were without the MS08-067 update.

As if to flaunt that fact, the newest version of Conficker reactivated its ability to spread by exploiting the Windows bug.

Microsoft's products are not the only ones that never get completely patched, Kandek warned. Some of Adobe's applications are in the same boat.

"There are always stragglers," Kandek said. "Microsoft Office is one of the biggest stragglers for patching, and Adobe Reader is another. They're just not on the map for many companies."


IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

BBC using Glasgow 2014 Commonwealth Games to trial 4K/UHD, pan-around video, augmented video and...