Security Experts:

Connect with us

Hi, what are you looking for?



Report: Watch for Security Blind Spots if Your Focus is Patching Microsoft Vulnerabilities

Microsoft’s Patch Tuesday is a monthly news event. But new research from Secunia shows that focusing on patching Microsoft vulnerabilities can create a dangerous security blind spot.

Microsoft’s Patch Tuesday is a monthly news event. But new research from Secunia shows that focusing on patching Microsoft vulnerabilities can create a dangerous security blind spot.

Secunia Vulnerability ReportAccording to a new report from Secunia, third-party programs – as opposed to software from Microsoft – are almost exclusively responsible for the growth in vulnerabilities. In its Yearly Report for 2011, Secunia found that 78 percent of the vulnerabilities uncovered last year were in third-party programs. Just 12 percent of the vulnerabilities were found in Windows, and the remaining 10 percent were in Microsoft programs.

For organizations, this means that having the perception Microsoft products represent the primary attack vector is dangerous.

“Patching raises many challenges, however, the first challenge is always to identify all the assets (systems and software) that may need patching,” said Thomas Kristensen, chief security officer of Secunia. “We often find that this is the biggest obstacle to efficient patching.”

Complexity is another enemy of patching, the firm contends.

“To fully patch a typical end-point, the user (or administrator of the system) has to master at least 12 different update mechanisms, as the Top-50 software portfolio comprises programs from 12 different vendors,” the vendor claimed in its report. “With one update mechanism, namely “Microsoft Update”, the operating system and the 28 Microsoft programs can be patched to remediate 22% of the vulnerabilities. In addition to this, another 11 update mechanisms are needed to patch the remaining 22 third-party programs to remediate 78% of the vulnerabilities.”

The good news is that 72 percent of vulnerabilities had patches available on the day of disclosure.

“When applying patches there may be a number of concerns, centralized systems such as database servers which often are business critical, is always more of a concern than a typical office application,” he said. “One needs to define a policy with regards to prioritizing different systems as well as a testing policy to ensure that no patches are applied to live systems before having undergone testing.”

The full report can be found here.

Related: 3rd Party Applications Responsible for 69% of Vulnerabilities on Most Endpoints

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.