Windows bugs never really die

Because some PCs are never patched, pool of victims persists, says researcher

Hackers can successfully attack Windows PCs months -- even years -- after Microsoft Corp. fixes a flaw, a security expert said Thursday, because there's always a pool of unpatched systems.

According to data that Qualys Inc. culled from scans of more than 80 million machines, between 5% and 20% of all systems are never patched for any vulnerabilities, including those disclosed by Microsoft in its monthly security updates.

Qualys, a provider of on-demand IT security systems, tracked four vulnerability bulletins issued by Microsoft in 2008 and in each case found that a sizable fraction of the PCs it scanned had not been patched, even though in some cases more than a year had passed since Microsoft issued fixes.

The four updates, all labeled "critical" by Microsoft when they were released, included the following:

  • MS01-001, a two-patch update in January 2008 that plugged holes in three Windows TCP/IP protocols.

  • MS08-007, a single February 2008 patch for Windows' WebDAV Mini-Redirector, which defines how basic file functions such as Copy, Move, Delete and Create are performed using HTTP.

  • MS08-015, a one-fix update in March 2008 for a bug in Outlook, Microsoft's mail client, that could be exploited by tricking a user into visiting a malicious Web site.

  • MS08-021, a two-patch update released in April 2008 for Windows GDI, or graphics device interface, a frequently-fixed core component of the operating system.

Even as late as this year, MS08-021 had not been applied to 20% of the PCs that Qualys scanned. The percentage of machines lacking the MS08-015 update, on the other hand, dipped at times to about 5%.

"It's difficult to say why they haven't been patched," said Wolfgang Kandek, Qualys' chief technology officer. Kandek presented his findings at the RSA security conference in San Francisco. "It just baffles me. Some administrators are just doing their worst possible job patching."

Qualys' scans are conducted on machines owned by its clients, which are exclusively businesses -- predominantly large companies.

"Either they don't care, or they don't have enough resources to patch every machine," Kandek speculated.

Because some machines are never patched, there is always a ready reserve of potential victims, even for aging malware, Kandek continued. "Even very old worms can be successful," he said.

The notorious Conficker worm is a case in point. Though it's not old by any definition -- it debuted in November 2008 and just came to prominence in January 2009 -- Conficker's makers prey on PCs that have not been patched with an emergency update Microsoft issued last October. Last week, even after a media blitz about the worm's April 1 trigger, nearly 20% of the PCs Qualys scanned were without the MS08-067 update.

As if to flaunt that fact, the newest version of Conficker reactivated its ability to spread by exploiting the Windows bug.

Microsoft's products are not the only ones that never get completely patched, Kandek warned. Some of Adobe Systems Inc.'s applications are in the same boat. "There are always stragglers," Kandek said. "Microsoft Office is one of the biggest stragglers for patching, and Adobe Reader is another. They're just not on the map for many companies."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags hackersmicrosoft patchesqualys

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?