Out-of-Date Software and Plug-ins Compound End-User Risk

It’s obvious that “active” mistakes by end users — like clicking on phishing emails, downloading pirated software, and sharing passwords — can put your data and systems at risk. But “passive” mistakes — like failing to update software and plug-ins — are also problematic because they create cyber security vulnerabilities that can be exploited by attackers.

We have seen the problem firsthand on endpoint PCs. Within our ThreatSim® simulated phishing tool, if an end user falls for one of our mock attacks, we are able to fingerprint that user’s browser and plug-ins to identify risks (which, naturally, is beneficial for response teams). For the Wombat Security Technologies 2016 State of the Phish Report, we looked back through those fingerprints and evaluated how likely it was for specific plug-ins to be out of date; this is what we found:

• Adobe PDF: 61%
• Adobe Flash: 46%
• Microsoft Silverlight: 27%
• Java: 25% 

Because these commonly used plug-ins are targeted by attackers, many browser vendors are moving to eliminate embedded plug-ins. In that vein, Oracle announced at the beginning of the year that it was removing browser plug-in support in the newest version of its well-used — and often-exploited — Java software. Even though this is a big step in the direction of safer web browsing, as Brian Krebs of KrebsOnSecurity fame noted, “[I]t will probably be years before various versions of this plugin are mostly removed from end-user systems worldwide. And some businesses still reliant on very old versions of Java will continue to use outdated versions of the program.”

A lack of user savvy — and, potentially, concerns about installing software — likely contribute to out-of-date components on end-user systems. But habits and “fear of the unknown” are also part of the problem. Users who are comfortable with older versions of software may be reluctant to upgrade to a new version, a decision that becomes particularly problematic in end-of-life/end-of-support situations. Internet Explorer will no doubt be an issue in years to come; in January, Microsoft announced that only the latest version of Internet Explorer — Internet Explorer 11 — will continue to be supported on Windows 7, Windows 8.1, and Windows 10. Users may be resistant to upgrade to an unfamiliar version and could be downright nervous to make the suggested switch to the new Microsoft Edge browser. The continued use of the long-outdated Windows XP operating system is a great example of the issues that are created when a widely used piece of software reaches an end-of-support state.

So, how to win the battle of end-user upgrades? Here are some tips:

• Automate as much as possible. Allowing users to put off Windows updates, for example, is a dangerous game as the patches are often security related.
• Educate your users about the dangers of outdated software — and explain the issues in terms they can understand. Technology has advanced so much in recent years, and the average user probably can’t comprehend how interacting with a phishing email can lead to a compromised browser.
• Use a tool like our ThreatSim platform to identify the end users who are at risk, and follow up on that information to ensure appropriate updates to out-of-date plug-ins happen.

Perhaps most important is this piece of advice: Don’t ignore the problem. With so much going on day to day, it can be easy to push headaches like this down the road. However, even baby steps in the right direction are moves toward a more aware, more secure workplace.

Our Anti-Phishing Training Suite merges assessments, education, reinforcement, and measurement to change behaviors and reduce end-user risk. It's an easy way to kick off an effective security awareness training program.