For software, the level of use seems to also be an indicator of its
vulnerability. When users do not access software often and therefore
aren’t aware of the need to patch and upgrade it, the ignored software
provides space and time for attackers to operate.
We can see this
in the research on Microsoft Silverlight, which shows a recovery period
of as long as 2 months for users to install upgrades after a release.
At one point, there were two releases within 5 weeks, which affected the
user population for more than 3 months, as can be seen between Q4 of
2015 and Q1 of 2016.
Microsoft announced the end of life of
Silverlight in 2012, although patches and bug fixes are still being
released. However, it poses the same problem that Internet Explorer
does: Outdated and unpatched software invites attackers to easily
The recovery period for Java users shows that most
are running versions of the software that are one to three versions
behind the most recent release. The time to recovery is about 3 weeks.
An unusual pattern with Java is that the dominant populations are those
that use recent versions. The Java update cycle is from 1 to 2 months.
The overall lesson from time-to-patch cycles is that upgrade release
patterns are a contributing factor in user security posture, which can
place networks at risk.