For software, the level of use seems to also be an indicator of its vulnerability. When users do not access software often and therefore aren’t aware of the need to patch and upgrade it, the ignored software provides space and time for attackers to operate.

We can see this in the research on Microsoft Silverlight, which shows a recovery period of as long as 2 months for users to install upgrades after a release. At one point, there were two releases within 5 weeks, which affected the user population for more than 3 months, as can be seen between Q4 of 2015 and Q1 of 2016.

Microsoft announced the end of life of Silverlight in 2012, although patches and bug fixes are still being released. However, it poses the same problem that Internet Explorer does: Outdated and unpatched software invites attackers to easily exploit it.

The recovery period for Java users shows that most are running versions of the software that are one to three versions behind the most recent release. The time to recovery is about 3 weeks. An unusual pattern with Java is that the dominant populations are those that use recent versions. The Java update cycle is from 1 to 2 months. The overall lesson from time-to-patch cycles is that upgrade release patterns are a contributing factor in user security posture, which can place networks at risk.

High