This content is part of the Essential Guide: The complete guide to Windows 10 security tools

Essential Guide

Browse Sections

Close Windows security gaps with third-party software patching

Hackers target third-party software on Windows workstations because they know the patches are often out of date. Admins can bolster security by fixing these issues.

Missing third-party software patches are one of the top security risks in any organization.

Java, Adobe Reader, Apple iTunes and other third-party tools make the Windows end-user computing experience better, but in many organizations third-party software patching is lacking. When IT does not properly maintain third-party software, it creates unnecessary business risks.

If administrators run authenticated -- or even unauthenticated -- vulnerability scans on Windows workstations, they are likely to find dozens and dozens are missing third-party software patches dating back two, three or sometimes five years. This is bad.

Annual security research reports such as the Verizon Data Breach Investigations Report, show that the bad guys target vulnerable third-party software IT does not properly maintain in practically every business. All it takes is one missing patch combined with one errant user click to introduce ransomware or other advanced malware into a network. Once that happens, all security efforts IT established are set back -- not to mention all the time and effort admins must spend cleaning up the mess.

2016 ransomware attacks
Ransomware by the Numbers, 2016

Third-party software patching requires vigilance

As most IT shops have found, Microsoft's software patching, including Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM), is not terribly friendly when it comes to third-party software. Admins should not rely solely on these products. Even when using other vendors' patch management products, such as SolarWinds Patch Manager or GFI LanGuard, admins must verify that the third-party patch deployment actually does its job.

The bad guys target vulnerable third-party software that goes unmaintained in practically every enterprise.

They should also check to see if some third-party software patches slip through the cracks. Admins can scan endpoint devices for any missing patches using almost any patch management product. In addition, some applications may not patch well remotely, requiring admins to perform follow-up work. Others may be listed as applied when they are not applied in reality. It pays to double-check.

If admins use a third-party patch management tool for core Windows updates, WSUS and SCCM or even Windows Update are still good tools to use as a failsafe to make sure everything updates correctly. Any unintentional oversights can create a false sense of security and may not show up until the next authenticated vulnerability scan.

Do not trust users

When it comes to software patching, IT should not rely on users. Even when IT shops automate most patches, users may still need to be in the know to perform reboots or other user-based changes. Just proceed with caution and keep users out of the loop when possible. If IT wants dependable patch management, it has to do it well across the board with third-party software patches in the mix. Anything less is a breach waiting to happen.

Next Steps

Windows security final exam

How to maximize Windows 10 security

Windows Hello and Passport boost security

Dig Deeper on Windows 10