The number of outdated versions of Adobe Flash running on enterprise computers grew 10 percent year-over-year to 53 percent of endpoints, despite numerous devastating attacks targeting the maligned software and endless calls to deprecate it.
Duo Security said in its 2017 Duo Trusted Access Report, released Monday, that enterprises are exposing themselves to unnecessary risk by not staying current with the latest software and operating systems. For its report, the company analyzed key indicators of device security health of 4.6 million endpoints ranging from Windows and Apple computers to 3.5 million Android and Apple mobile devices.
“To measure the state of device security health, the report analyzes top indicators including out-of-date operating systems, browsers and plugins that make endpoints more susceptible to vulnerabilities, as well as security features mobile devices have enabled,” researchers wrote. Research compares data culled from the first four months of 2016 to the same time period in 2017.
Flash represented the most troubling aspect of endpoint security. Not only are the majority of users running outdated Flash, but Duo found 21 percent of endpoints are running version 22.214.171.124 of Flash, which has nearly a dozen listed critical vulnerabilities identified in February 2017. Some of the most vulnerable industries running outdated versions of Flash were real estate, telecommunication and recruiting.
Kyle Lady, senior research and development engineer at Duo Security said update fatigue is a factor contributing to the growing number of Flash installations .
“People just want to bat down and click the update message to make it go away. Click the ‘update later’ option three or four times, and before you know it, your version of Flash is three months out of date,” he said in an interview with Threatpost. The good news, he said, was that Google Chrome and versions of Windows had now begun auto-updating Flash.
Other areas of concern, based on the report are mobile devices. Just “twenty-seven percent of Android phones are running the latest major OS version, and 73 percent of iPhones were running the latest major version, iOS 10 and above,” according to the report.
When it came to monthly Google patching of Android handsets, based on data collected in February 2017, 18 percent of Android devices had January’s patch, 10 percent had patches released in February and 14 percent did not have any patches at all, according to Duo’s data set.
The healthcare sector also took a ding in the report with increased reliance of the 12-year-old Windows XP operating system. The percentage of healthcare endpoints running Windows XP has increased from two to three percent over the past year, according to those firms interviewed.
“Hospitals remain reliant on XP thanks to expensive and complex boutique programs and equipment,” Lady said. “When hospitals expand, unfortunately so do the numbers of Windows XP systems coming online.” Overall, among Duo’s reporting base, Windows XP use has stayed the same with one percent of businesses still running the OS.
On the plus side, Windows 10 adoption within the United States has doubled within the enterprise since 2016 to 31 percent, according to the report. “That means many more endpoints are secured against known vulnerabilities that may affect older Windows OS versions, although not the majority yet,” researchers wrote.
“Windows 10 adoption is the most encouraging news to come out of this year’s report,” Lady said. He points out that Windows 10 Anniversary Update offers a number of security enhancements to the platform making it a non-trivial update to any enterprise’s network infrastructure.