Enterprise patching... is patchy, survey finds Delays in updating software and operating systems are putting organisations at greater risk of attacks, according to research by Duo Security. The survey, based on real-world data*, found that less than a third (31 per cent) of Windows endpoints are running the latest version, Windows 10. More than half (53 per cent) of …
"....That many people accidently clicked the upgrade now button...." Whilst the article highlights the problem in big organizations like healthcare, my own experience is that the problem is worse in smaller companies where IT policies and updates are subject to personal whim rather than professional process. In such companies, where many IT "professionals" have the same sniffy attitude to updating Windows as you displayed, there is also a similarly blinkered approach to security patching. Just last year I was at a small software company that wants to work with Wall Street financial houses, they considered themselves very avant garde, only I had to tell them my customer was declining the opportunity to work with them because my review of their practices showed it to be close to "head in sand". These guys included an MIT grad whom insisted Windows 10 was "no more secure than XP" and MS updates were there "just to keep Windows users living in fear"! Hipster snarks will not keep hackers out of your data.
Dear god! 5 downvotes?! I didn't think there where that many stupid people still working in IT!
I will not be polite about this: if you don't test Microsoft patches before deployment, you are a fucking moron.
I think you'll find that in order to carry out testing, you need man power. I'm not sure which organisation you work for but in my experience, IT is seriously understaffed, underpaid, and overworked.
Recently I approved some critical and security patches, somehow managed to get UI feature changes and Cortana became more vocal, asking users if they would recommend W10 to their friends!!
This was for W10 for education too.
M$ are a joke, and we are all captive to their stupid business decisions.
How can one consider a company like M$ to be a serious business operating system producer, when they include a shortcut to Candycrush SAGA in the start menu by default?
Windows 7 is a current, supported product. Using it is fine. Windows 10 has automatic updating - which by default reboots when it likes and takes you work with it (unless, probably, you use Microsoft Cloudy Office 355 - so, not a flaw, a sales opportunity) - but an enterprise will take control of updating the endpoints anyway. Look at how many Star Trek episodes have the Enterprise's computer taken over by an alien force, or just becoming delusional on its own. (Both Kirk and Picard had to deal with each of these things happening, a lot.) Learn from this and install legitimate updates in phases - make proper use of your phaser.
Headline is misleading, upgrading Windows version in any organisation can hardly be described as 'patching'.
There is a good reason the NHS runs a lot of Windows 7 (and Server/SQL 2008 R2).
Since the NHS EWA with Microsoft finished organisations will have had to buy their own CAL's as required. Those signed over to Trusts at the end of the agreement will be Windows 7 Desktop, and Windows Server and SQL 2008R2 with no SA (Though I question the value of SA).
Being optimistic I'd argue that NHS Trusts are sweating the license assets it has and maximising their use before having to buy a hefty chunk of new licensing.
As support ends in January 2020 for Windows 7 and Server 2008 though, new licensing will have to be bought soon in order to have any chance of upgrading both server and desktop machines in the 2 and a bit years remaining.
. . . .that we actually USE Internet Exploder. Since we can't uninstall it. . . .
I simply have removed the icon from my desktop and taskbar at home on my Win7 Gaming box. And the gaming box has STILL not completely recovered from the rollback after the uncommanded Win10 upgrade.
Of course, my WORK box at home runs Mint. . .
"More than half (53 per cent) of endpoints are running an out-of-date version of Flash, leaving them wide open to various vulnerabilities."
Hmm, I wonder why that could be... It wouldn't have anything to with the sloppy coding we have come to expect from Adobe, you know, the kind of sloppy coding that FAILS in removing the old vulnerable version after updating...
"And one in eight (13 per cent) endpoints are running an unsupported version of the Internet Explorer browser."
This is most likely because many organisations use some citrix style VPN fudge or similar, that its system requirements demands an older version of MSIE, and won't work otherwise.
"Duo Security reports that the picture becomes even bleaker when the spotlight is put on the healthcare sector. Three quarters of all healthcare organisations are running Windows 7 – higher than the industry average and likely a factor in why the NHS fared so badly during the recent WannaCrypt ransomware attack. A minority (3 per cent) of all endpoints are still running totally unsupported Windows XP. ®"
I'm gonna step out on a limb here, It was mostly NHS southeast that was affected, the NHS in general is a political target right now for privatisation, people say conspiracy theory alot, another word for conspiracy, is collaboration, and people are collaborating all the time, usually incentivised by money, throw secret societies in the mix and who knows what is possible.
Most of the infections were actually in Russia, and I think we are seeing another "Stuxnet"
https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=0
NHS southeast got hosed because I suspect they purposely didnt patch, and it being caught in the collateral damage was part of the plan.
Not saying I am right on all those points, but definitely a gut feeling of mine
Many organisations are stuck using these out of date versions because of critical software or customers requirements and/or costs.
I know of software for several instruments that will only work on Windows XP, you can now upgrade the software for 4 - 5k per machine.
I know of a certain rail company that forces you to use their system, that system unfortunately requires a old version of Java as they haven't digital signed their code.
There certainly isn't an easy fix for this.
... probably it would have been much more widespread.
Anyway, despite Microsoft PR BS, Windows 10 is vulnerable to ETHERNALBLUE just like 7 if not patched (see https://technet.microsoft.com/en-us/library/security/ms17-010.aspx, it's CVE-2017-0144). The only difference is the forced patching of Win10 could have lead to less vulnerable systems - but in a WSUS system patches needs to be approved anyway.
*Can* be set to autoapprove. We do it only for non-critical groups, usually desktops which are more at risk, but not for servers or other critical systems, which include some desktop groups as well. Those are approved in a few days, if no issue arises (or if the risk level is so high to prompt a quicker response)
IE? Oh, that unused browser on the air-gapped system?
Most of my 2k8r2 boxes are still running IE8. But what justification for downtime do you provide to _upgrade_ a non-removeable, unused product on an isolated system (when the only interactive use is viewing the console to keep an eye on boot progress)?
Also, when is running an n-x OS that's fully patched, not patched?
See the source article...
(lies, damn lies, and statistics)
The biggest problem is all the proprietary and specialized software/middleware running on servers that barely play nice with each other, let alone that new patch that MAY or may not nuke everything.
Remember, it's now common practice to test Microsoft patches by the server team before being sent over the company system. That alone should tell you something.
Other vendor's patches? A shot in the dark every time. Now add the slacker factor of many companies.
It's no mystery to me why patches are spotty at best.
But the core problem is mostly shit software to begin with. Why SHOULD the client be the beta tester?
Flash updates come like monthly (5 already this year, and another probably on tuesday) and all have cruitical security patches, and with the exception of a handfull of tools, must be updated manually.
If anyone can keep up with that on their whole estate, they either have too little estate or too much time on their hands....
Thumbs up for actualy releasing good code in the first place ...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
