Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Ongoing Use of Windows Vista, IE8 Pose Huge Enterprise Threat

A new report highlights the high number of users still operating outdated Windows operating systems and unsupported browsers. This represents a huge threat to the organizations whose users access company networks from insecure laptops and home computers within the growing adoption of BYOD policies.

A new report highlights the high number of users still operating outdated Windows operating systems and unsupported browsers. This represents a huge threat to the organizations whose users access company networks from insecure laptops and home computers within the growing adoption of BYOD policies.

Duo Security reports that 65% of its clients’ Windows users are still running Vista, and that tens of thousands are still on XP (now 15 years old, unsupported, and with around 700 known vulnerabilities of which 200 are rated as high to critical). On top of this, while Chrome is the most popular browser, 20% of Internet Explorer users are running a version that has reached end-of-life status and do not receive security patches. For the XP users, as many as 88% are still using Internet Explorer 8.

Duo Security is a trusted access provider offering multi-factor authentication to its customers. As part of this service it is required to collect telemetry from the users — often resulting in a greater knowledge of what is connecting to its customers’ networks than those customers themselves. Duo’s new report, The 2016 Duo Trusted Access Report: Microsoft Edition, is based on an analysis of that telemetry.

Michael Hanley, director at Duo Labs, is a firm believer that users should always operate the latest and greatest offerings — and he is a strong supporter of Windows 10. “There are a lot of advanced features that exist in Windows 10 which is arguably the most secure and strong operating system Microsoft has produced,” he told SecurityWeek. “But the problem is getting users off the legacy versions.”

He used the out-of-box settings of Vista as an example. “Windows 7 does not set you up as securely as does Windows 10. Users tend to start from a secure configuration with 10; but not with 7 — and the danger is that users have never configured 7 to be secure. My opinion is that a lot of people aren’t doing the basics — like automatic updates (or else they’d be on 10 or at least a more secure browser)” he suggested.

He admitted that legacy apps could be behind the continuing use of IE8. “The problem here is that if the company app only works with IE8, users will comply, but then run IE8 as their standard browser rather than just for the legacy app. This presents a significant exposure,” he warned: “first for the user, and then for the company. It implies that such companies have assumed that the cost of upgrading the app to work with the latest browser is more than the cost of a breach — but I would argue the opposite. A breach is probably far more costly in the long run than taking $50,000 to update some legacy application so that users can access it with Chrome or Azure and IE11.” In effect, he added, “Many companies are encouraging their users to make unsafe security choices and then drive with those on a daily basis. That’s troubling. 20% of users are on an unsupported and unpatched browser; and that’s pretty bad.”

To illustrate the effect he suggests looking at healthcare and ransomware. “From our own studies, healthcare customers have 4 times as many XP boxes as the financial sector. That illustrates why ransomware attacks have been so successful against healthcare. The bad guys go where they know they will succeed without a lot of effort.”

Advertisement. Scroll to continue reading.

Duo customers do have options. Not only is Duo aware of the insecure connections, it can respond to them. “Customers can do nothing; they could detect those users still using old software and tell them to upgrade; or they could block those users from gaining access unless and until they upgrade,” said Hanley. 

“I would say that companies should, at the minimum, invoke the second option. Here at Duo we are insistant that our own users are up to date — we actually do use that third blocking option. We forbid anybody from using anything other than the latest and greatest software before they can access our own internal systems.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.