Security Experts:

Ongoing Use of Windows Vista, IE8 Pose Huge Enterprise Threat

A new report highlights the high number of users still operating outdated Windows operating systems and unsupported browsers. This represents a huge threat to the organizations whose users access company networks from insecure laptops and home computers within the growing adoption of BYOD policies.

Duo Security reports that 65% of its clients' Windows users are still running Vista, and that tens of thousands are still on XP (now 15 years old, unsupported, and with around 700 known vulnerabilities of which 200 are rated as high to critical). On top of this, while Chrome is the most popular browser, 20% of Internet Explorer users are running a version that has reached end-of-life status and do not receive security patches. For the XP users, as many as 88% are still using Internet Explorer 8.

Duo Security is a trusted access provider offering multi-factor authentication to its customers. As part of this service it is required to collect telemetry from the users -- often resulting in a greater knowledge of what is connecting to its customers' networks than those customers themselves. Duo's new report, The 2016 Duo Trusted Access Report: Microsoft Edition, is based on an analysis of that telemetry.

Michael Hanley, director at Duo Labs, is a firm believer that users should always operate the latest and greatest offerings -- and he is a strong supporter of Windows 10. "There are a lot of advanced features that exist in Windows 10 which is arguably the most secure and strong operating system Microsoft has produced," he told SecurityWeek. "But the problem is getting users off the legacy versions."

He used the out-of-box settings of Vista as an example. "Windows 7 does not set you up as securely as does Windows 10. Users tend to start from a secure configuration with 10; but not with 7 -- and the danger is that users have never configured 7 to be secure. My opinion is that a lot of people aren't doing the basics -- like automatic updates (or else they'd be on 10 or at least a more secure browser)" he suggested.

He admitted that legacy apps could be behind the continuing use of IE8. "The problem here is that if the company app only works with IE8, users will comply, but then run IE8 as their standard browser rather than just for the legacy app. This presents a significant exposure," he warned: "first for the user, and then for the company. It implies that such companies have assumed that the cost of upgrading the app to work with the latest browser is more than the cost of a breach -- but I would argue the opposite. A breach is probably far more costly in the long run than taking $50,000 to update some legacy application so that users can access it with Chrome or Azure and IE11." In effect, he added, "Many companies are encouraging their users to make unsafe security choices and then drive with those on a daily basis. That's troubling. 20% of users are on an unsupported and unpatched browser; and that's pretty bad."

To illustrate the effect he suggests looking at healthcare and ransomware. "From our own studies, healthcare customers have 4 times as many XP boxes as the financial sector. That illustrates why ransomware attacks have been so successful against healthcare. The bad guys go where they know they will succeed without a lot of effort."

Duo customers do have options. Not only is Duo aware of the insecure connections, it can respond to them. "Customers can do nothing; they could detect those users still using old software and tell them to upgrade; or they could block those users from gaining access unless and until they upgrade," said Hanley. 

"I would say that companies should, at the minimum, invoke the second option. Here at Duo we are insistant that our own users are up to date -- we actually do use that third blocking option. We forbid anybody from using anything other than the latest and greatest software before they can access our own internal systems."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.