back to article Enterprise patching... is patchy, survey finds

Delays in updating software and operating systems are putting organisations at greater risk of attacks, according to research by Duo Security. The survey, based on real-world data*, found that less than a third (31 per cent) of Windows endpoints are running the latest version, Windows 10. More than half (53 per cent) of …

  1. Locky
    Coat

    31%?

    That many people accidently clicked the upgrade now button.

    Poor souls

    1. steve-b
      Trollface

      Re: 31%?

      That was the red X button right?

    2. Matt Bryant Silver badge
      Stop

      Re: Locky Re: 31%?

      "....That many people accidently clicked the upgrade now button...." Whilst the article highlights the problem in big organizations like healthcare, my own experience is that the problem is worse in smaller companies where IT policies and updates are subject to personal whim rather than professional process. In such companies, where many IT "professionals" have the same sniffy attitude to updating Windows as you displayed, there is also a similarly blinkered approach to security patching. Just last year I was at a small software company that wants to work with Wall Street financial houses, they considered themselves very avant garde, only I had to tell them my customer was declining the opportunity to work with them because my review of their practices showed it to be close to "head in sand". These guys included an MIT grad whom insisted Windows 10 was "no more secure than XP" and MS updates were there "just to keep Windows users living in fear"! Hipster snarks will not keep hackers out of your data.

  2. Anonymous Coward
    FAIL

    Delays in updating software and operating systems are putting organisations at greater risk

    Given the quality of recent Microsoft patches and upgrades, if you're a Windows shop then delaying patches upgrades sounds like a very sensible approach indeed.

    1. Disgruntled of TW

      Re: Delays in updating software and operating systems are putting organisations at greater risk

      Rock and a hard place ... not more than a week - your patch validation pipeline should be compact, but you do have to patch, or suck up the tears from WannaCry etc.

    2. ecofeco Silver badge
      Facepalm

      Re: Delays in updating software and operating systems are putting organisations at greater risk

      Dear god! 5 downvotes?! I didn't think there where that many stupid people still working in IT!

      I will not be polite about this: if you don't test Microsoft patches before deployment, you are a fucking moron.

      1. Anonymous Coward
        Anonymous Coward

        Re: Delays in updating software and operating systems are putting organisations at greater risk

        "I will not be polite about this: if you don't test ANY VENDORS patches before PRODUCTION deployment, you are a fucking moron."

        TFTFY.

        1. ecofeco Silver badge
          Thumb Up

          Re: Delays in updating software and operating systems are putting organisations at greater risk

          Absolutely AC. Absolutely.

          Good catch. Thanks.

          1. FlamingDeath Silver badge

            Re: Delays in updating software and operating systems are putting organisations at greater risk

            I think you'll find that in order to carry out testing, you need man power. I'm not sure which organisation you work for but in my experience, IT is seriously understaffed, underpaid, and overworked.

            Recently I approved some critical and security patches, somehow managed to get UI feature changes and Cortana became more vocal, asking users if they would recommend W10 to their friends!!

            This was for W10 for education too.

            M$ are a joke, and we are all captive to their stupid business decisions.

            How can one consider a company like M$ to be a serious business operating system producer, when they include a shortcut to Candycrush SAGA in the start menu by default?

      2. ecofeco Silver badge

        Re: Delays in updating software and operating systems are putting organisations at greater risk

        Well, looks like 4 more morons have voted!

        You lot wouldn't happen to work for BA, would you?

  3. Robert Carnegie Silver badge

    Wrong.

    Windows 7 is a current, supported product. Using it is fine. Windows 10 has automatic updating - which by default reboots when it likes and takes you work with it (unless, probably, you use Microsoft Cloudy Office 355 - so, not a flaw, a sales opportunity) - but an enterprise will take control of updating the endpoints anyway. Look at how many Star Trek episodes have the Enterprise's computer taken over by an alien force, or just becoming delusional on its own. (Both Kirk and Picard had to deal with each of these things happening, a lot.) Learn from this and install legitimate updates in phases - make proper use of your phaser.

  4. Anonymous Coward
    Anonymous Coward

    Headline is misleading, upgrading Windows version in any organisation can hardly be described as 'patching'.

    There is a good reason the NHS runs a lot of Windows 7 (and Server/SQL 2008 R2).

    Since the NHS EWA with Microsoft finished organisations will have had to buy their own CAL's as required. Those signed over to Trusts at the end of the agreement will be Windows 7 Desktop, and Windows Server and SQL 2008R2 with no SA (Though I question the value of SA).

    Being optimistic I'd argue that NHS Trusts are sweating the license assets it has and maximising their use before having to buy a hefty chunk of new licensing.

    As support ends in January 2020 for Windows 7 and Server 2008 though, new licensing will have to be bought soon in order to have any chance of upgrading both server and desktop machines in the 2 and a bit years remaining.

  5. SotarrTheWizard

    And that also assumes. . .

    . . . .that we actually USE Internet Exploder. Since we can't uninstall it. . . .

    I simply have removed the icon from my desktop and taskbar at home on my Win7 Gaming box. And the gaming box has STILL not completely recovered from the rollback after the uncommanded Win10 upgrade.

    Of course, my WORK box at home runs Mint. . .

    1. sz54c8

      Re: And that also assumes. . .

      I think you can remove IE from Win10 now...https://www.youtube.com/watch?v=dmOVBgdgvJw ...not really a reason to upgrade though...

  6. FlamingDeath Silver badge

    "More than half (53 per cent) of endpoints are running an out-of-date version of Flash, leaving them wide open to various vulnerabilities."

    Hmm, I wonder why that could be... It wouldn't have anything to with the sloppy coding we have come to expect from Adobe, you know, the kind of sloppy coding that FAILS in removing the old vulnerable version after updating...

    "And one in eight (13 per cent) endpoints are running an unsupported version of the Internet Explorer browser."

    This is most likely because many organisations use some citrix style VPN fudge or similar, that its system requirements demands an older version of MSIE, and won't work otherwise.

    "Duo Security reports that the picture becomes even bleaker when the spotlight is put on the healthcare sector. Three quarters of all healthcare organisations are running Windows 7 – higher than the industry average and likely a factor in why the NHS fared so badly during the recent WannaCrypt ransomware attack. A minority (3 per cent) of all endpoints are still running totally unsupported Windows XP. ®"

    I'm gonna step out on a limb here, It was mostly NHS southeast that was affected, the NHS in general is a political target right now for privatisation, people say conspiracy theory alot, another word for conspiracy, is collaboration, and people are collaborating all the time, usually incentivised by money, throw secret societies in the mix and who knows what is possible.

    Most of the infections were actually in Russia, and I think we are seeing another "Stuxnet"

    https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=0

    NHS southeast got hosed because I suspect they purposely didnt patch, and it being caught in the collateral damage was part of the plan.

    Not saying I am right on all those points, but definitely a gut feeling of mine

  7. adam payne

    Many organisations are stuck using these out of date versions because of critical software or customers requirements and/or costs.

    I know of software for several instruments that will only work on Windows XP, you can now upgrade the software for 4 - 5k per machine.

    I know of a certain rail company that forces you to use their system, that system unfortunately requires a old version of Java as they haven't digital signed their code.

    There certainly isn't an easy fix for this.

    1. ecofeco Silver badge

      There is this as well. Many companies are stuck with very specialized old versions of machine controllers that would cost 6+ digits to replace. Or a million or more for a new machine system. Think very large factory machines.

      Highway robbery, but there are often no alternatives.

      1. Anonymous Coward
        Anonymous Coward

        > Many companies are stuck with very specialized old versions of machine controllers that would cost 6+ digits to replace

        And these machines should not be connected to any network which interconnects in any way with the Internet.

  8. LDS Silver badge

    If Micrsoft didn't mess up badly with Windows 10...

    ... probably it would have been much more widespread.

    Anyway, despite Microsoft PR BS, Windows 10 is vulnerable to ETHERNALBLUE just like 7 if not patched (see https://technet.microsoft.com/en-us/library/security/ms17-010.aspx, it's CVE-2017-0144). The only difference is the forced patching of Win10 could have lead to less vulnerable systems - but in a WSUS system patches needs to be approved anyway.

    1. ecofeco Silver badge

      Re: If Micrsoft didn't mess up badly with Windows 10...

      10? Microsoft has a VERY long history of screwing up patches and bricking PCs.

    2. Anonymous Coward
      Anonymous Coward

      Re: If Micrsoft didn't mess up badly with Windows 10...

      "but in a WSUS system patches needs to be approved anyway."

      Nope - can be set to auto approve.

      1. LDS Silver badge

        Re: If Micrsoft didn't mess up badly with Windows 10...

        *Can* be set to autoapprove. We do it only for non-critical groups, usually desktops which are more at risk, but not for servers or other critical systems, which include some desktop groups as well. Those are approved in a few days, if no issue arises (or if the risk level is so high to prompt a quicker response)

  9. Benno

    what a bunch of rubbish...

    IE? Oh, that unused browser on the air-gapped system?

    Most of my 2k8r2 boxes are still running IE8. But what justification for downtime do you provide to _upgrade_ a non-removeable, unused product on an isolated system (when the only interactive use is viewing the console to keep an eye on boot progress)?

    Also, when is running an n-x OS that's fully patched, not patched?

    See the source article...

    (lies, damn lies, and statistics)

  10. ecofeco Silver badge

    It may seem simple, but it isn't.

    The biggest problem is all the proprietary and specialized software/middleware running on servers that barely play nice with each other, let alone that new patch that MAY or may not nuke everything.

    Remember, it's now common practice to test Microsoft patches by the server team before being sent over the company system. That alone should tell you something.

    Other vendor's patches? A shot in the dark every time. Now add the slacker factor of many companies.

    It's no mystery to me why patches are spotty at best.

    But the core problem is mostly shit software to begin with. Why SHOULD the client be the beta tester?

  11. 0laf
    Facepalm

    Many big suppliers refuse to invest in the development of their own products leaving customers hanging with out of date vulnerable systems.

    CRAPTA and NGA being prime culprits.

    Microsoft's instance on bundling up all their patches doesn't help either.

  12. EnviableOne Silver badge

    out of date flash

    Flash updates come like monthly (5 already this year, and another probably on tuesday) and all have cruitical security patches, and with the exception of a handfull of tools, must be updated manually.

    If anyone can keep up with that on their whole estate, they either have too little estate or too much time on their hands....

    Thumbs up for actualy releasing good code in the first place ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022