This year’s Mobile World Congress (MWC) starts in Barcelona in just under three weeks. In addition to “higher, faster, further”, critical topics will also be on the agenda at the performance show of the mobile communications industry, and one of them is the holey security environment of the mobile endpoints.
Absolute Software has analyzed millions of user data for this purpose. Absolute Software is a provider of self-healing, intelligent security solutions embedded in more than 600 million devices worldwide.
In 2022, 20,265 new software vulnerabilities have been identified and reported so far. This is an increase from 20,171 for all of 2021 and 18,325 for 2019. That’s no small number given the steps required for IT and security teams to detect each of these vulnerabilities and provide updates for every single endpoint in possession located at or managed by a company.
Patch Tuesday
For Windows 10 devices, Microsoft releases new updates every month on Patch Tuesday. Keeping Windows devices up to date with the latest patches can become a chore for businesses. However, if this is not done, they open their environments to potential compromises.
Absolute Software’s analysis found that the average Windows 10 Enterprise device is 59 days behind in patches, with government and retailers reporting the longest enterprise delays (83 and 77 days, respectively). If you include education, the patch backlog is even larger, averaging 115 days.
Looking at the total number of vulnerabilities fixed on Patch Tuesday in July and August alone shows that these devices are vulnerable to more than 200 vulnerabilities that already have a fix, including 21 that are rated critical , and one that is already being exploited.
Critical vulnerabilities are defined as those CVEs for which there is a publicly accessible mechanism for exploiting them. This means that hackers have published code on the Internet that allows them to exploit companies’ devices if the vulnerability has not yet been fixed. In other words: Affected companies can be attacked with extremely little effort.
Given this fact, one would think that the urgency to close security gaps is high. Still, organizations’ devices may remain unpatched for long periods of time out of monotony or simply lack of resources and time. However, the most interesting trend Absolute Software’s data revealed was that smaller companies — with fewer devices — experienced longer delays.
conclusion
This analysis shows that a significant number of endpoints are not up to date in terms of patches and are therefore vulnerable to exploits and attacks. This is the case in highly regulated industries such as government, service companies and educational institutions. These institutions are actually responsible for ensuring that their data and end devices remain secure.
Visibility is always the first step to fix such a problem. When IT admins know how many devices are obsolete and the risk this poses, they can take steps to ensure patches are installed—and that devices won’t work without those steps.
Absolute Resilience provides IT teams with a solution not only to have a real-time view of endpoints that need patching, but also to push updates to devices without end-user input. This eliminates the manual effort for IT teams and ensures that all software on the device is up to date, reducing vulnerability. With Absolute Software, the state of each application is consistently monitored and corrected if necessary thanks to the intelligent self-healing functions.
