65% of Windows Devices Are Running a Seven-Year-Old Operating System

Staff Report

Wednesday, November 2nd, 2016

Duo Security, a cloud-based Trusted Access provider protecting the world's largest and fastest-growing companies, announced its Trusted Access Report: Microsoft Edition. This is the second Trusted Access report coming from Duo. Findings include:

  • Sixty-five percent of all Windows devices are running Windows 7, released in 2009. Approximately 600 security vulnerabilities affect Windows 7.

  • Tens of thousand of devices are still running Windows XP 15 years after its release. This represents more than 700 vulnerabilities, 200 of which are rated as high-to-critical.

  • Twenty percent of devices running Internet Explorer are running unsupported versions 8, 9 and 10. IE versions 8 through 10 have reached end-of-life status without the ability to receive security patches, leaving them susceptible to old exploits. Of all devices running Microsoft browsers, only 3% are using the latest, Edge.

Mike Hanley, Duo's Director of Security, said, "The majority of users on Microsoft operating systems and browsers are failing to take advantage of the latest and greatest security updates and capabilities, leaving them open to potential attacks.  This creates a risky proposition for out-of-date devices accessing sensitive cloud services and applications."

To analyze the current state of device security, Duo analyzed more than two million devices, 63 percent of which were running Microsoft operating systems.

In its analysis, Duo also found:

  • Nearly 62 percent of devices running IE have an old version of Flash installed potentially making them susceptible to compromise by an exploit kit containing code for Flash vulnerabilities.

  • Ninety-eight percent of devices running IE have Java installed. Businesses have legacy and custom applications that rely on Java. Java remains a top target of attackers.

  • Forty-two percent of all devices analyzed used Microsoft services, including Remote Desktop Protocol, Outlook Web Access, and Remote Desktop Gateway.

To protect against the vulnerabilities discussed here, Duo recommends:

  • Switch to modern browser platforms that are more secure such as Edge or those that update more frequently and automatically, such as Google Chrome

  • Run regular security updates as well as emergency patches

  • Use device encryption, passwords and fingerprint ID

  • Implement a two-factor authentication solution to protect systems and data

  • Enable automatic updates for as much software as possible to make it easier for your users

  • Disable Java and prevent Flash from running automatically on corporate devices, and enforce this on user-owned devices through endpoint access policies and controls

To protect environments from multiple attack vectors, Duo has taken a holistic approach to security. Its Trusted Access solution verifies the health of users' identities and the security health of their devices before granting access to authorized applications.