Critical Application Vulnerabilities Are Still on the Rise
Enterprises are in an impossible position when it comes to managing updates of Windows desktop applications. Updates are more frequent than ever, in direct response to increased vulnerabilities. After record-setting 2022 where there was a massive 59% year-over-year increase in critical vulnerabilities, according to a report by The Stack, enterprises experienced a 64 percent increase in the number of vulnerabilities in 2023 (Google, 2024). Cyber gangs are targeting enterprises with vulnerable applications quicker than ever too, with the average exploit occurring within 7 days of public disclosure.
In fact, NCC Group data showed that there were 514 ransomware attacks in September 2023 alone, surpassing the previous high of 502 in July 2023. Gartner® Accelerate Windows and Third-Party Application Patching estimates that “fewer than 60% of devices are patched within 14 days, and most organizations took 30 days or more to reach 90% completion”. For their part, vendors are responding by quickly patching vulnerabilities. Google moved to a more frequent update cadence, with minor updates being pushed every single week according to a report by PC World.
While it is necessary for vendors to quickly provide patches for their applications so customers have a fighting chance to get ahead of the bad guys, InfoSecInstitute found it takes IT teams 38 days to push out a patch for a vulnerable application. I would qualify this by also stating that when there is a vulnerability in mainstream news for mass exploitation, those typically get patched quicker than 38 days. However, in it is an inevitable case of the squeaky wheel getting the grease.
Nonetheless, it is clear enterprise IT teams simply do not have the people or time to manage individual patches upon release across their Windows desktop estate. While focusing all efforts on patching a high-profile vulnerability, there are countless other applications sitting on machines in your environment with vulnerabilities too. If you have a four-person desktop team with 1,000 applications, a mere two percent of those applications having an update available is impossible for the team to vet, package, and deploy in a timely fashion. You may be exposing your corporate assets and customer data without even knowing it.
How Can IT Tackle the Application Update Workload?
Managing the sheer volume of application updates is quite a conundrum for enterprise architects. Do you enable auto-updates within applications to let them update themselves? It may seem like the path of least resistance, but some applications may not even have an auto-update feature. For those that do have an auto-update feature, how many will you allow to do so? Will it just be a handful of business-critical applications? What about the other applications? There are so many areas to cover when it comes to this topic. You really need to keep up to date for all your applications. Any application can have a vulnerability. If you use traditional installation packages – such as an exe or msi or certain layering technologies – the files and components of your applications will be exposed on your machines and network for cybergangs to exploit.
A good example to consider is last year’s Log4Shell vulnerability. On the face of It, an EUC engineer may think to themselves “we do not deploy anything by that name, so we are fine”. As it turned out, a lot of vendors embed log4j2 into their products for logging purposes. If you have 1,000 applications, how do you know if they use log4j2? When you finally uncover which applications in your enterprise do use it, how can you promptly patch them to mitigate the vulnerability?
Other common attack vectors include common shared runtimes, frameworks, and platforms. Libwebp was recently in the news as Google patched a vulnerability with a rare 10 out of 10 on the severity scale. Libwebp is a common library used in several applications. With many applications embedding browsers, you may not realize such a library is in-use within your organization. DevExpress, which is popular particularly for .NET developers, has seen its share of vulnerabilities too. Its components may be used in your enterprise applications, but you may have no idea they are being used. The vendor may release a patch, but unless you dig into the weeds you will likely be oblivious to the criticality of the patch.
All this to say, the temptation to always accept application updates is there. You do not have enough people to package and deploy every update required. You certainly do not have enough resources to have intimate knowledge of every application deployed in your environment and what they may or may not leverage. It is impossible for an enterprise team to stay on top of all application updates and vendor advisories. InfoSec teams themselves may also be unaware of what popular libraries and platforms are embedded by applications deployed in the environment. Just allowing auto-updates to occur could be the lesser of two evils.
Application Patching Means Accepting the Lesser of Two Evils
Any given application update can break something on some (or all) of your machines, significantly disrupting your business. Furthermore, you are essentially opening your network to that vendor and are at the mercy of their supply chain process. If you accept auto-updates, you may also find yourself with little visibility into whether machines are compliant and successfully up to date. Even if you use a third-party product to stage and push application patches as they become available, you are at the mercy of that tool. Often this approach still runs into problems with dated package formats, such as exe and msi, resulting in application conflicts, failed application uninstalls, installation errors, and the security risks posed by per-machine installations – which expose application components to all users and processes running on the network.
Traditional Deployment Tools are Not Up to Enterprise-Scale Application Patching
Unfortunately, traditional provisioning tools are not equipped for enterprise-scale application patching, which contain everything from virtual desktops hosted in the cloud to remote physical endpoints. They were originally designed to manage devices on the corporate network. Some organizations have continued using these tools together with a virtual private network (VPN) on client devices, but this is far from ideal and can cause frustration when employees experience network disconnects due to network saturation. It is best to avoid deploying frequent application updates over VPN as applications tend to be deployed shortly after employees connect to the VPN, often after the morning login storm.
Fortunately, there is a wave of emerging modern provisioning solutions that are cloud-native, making them perfect for deploying applications across any device, on any network, with minimal firewall configuration required. Not all modern provisioning solutions are equal, however. You may find somewhere you get the benefits of the cloud such as elastic scale and the ability to deploy applications to any device, anywhere, BUT in exchange for poor performance. With some solutions, application deployment times can range anywhere from 30 minutes to 24 hours. This is not good when deploying any application updates. It is absolutely unacceptable when trying to patch business-critical applications.
Proactively Secure Your Applications with Containers
Enterprises need to start looking at desktop security differently. IT teams focus a lot of time and effort on managing patches for Windows operating systems. There are plenty of fancy security tools to establish least privilege access management at a process level, sandboxing processes for initial scanning and machine learning for security assessments, automated publishing of certain applications into existing tools like Configuration Manager and Intune, password management, and more. However, individual applications themselves – and the application estate as a whole – are often overlooked.
Applications are a critical factor in enterprise operational efficiency and the digital employee experience. If you provide your users with a brand-new high-powered desktop with the latest Windows operating system but no applications, they will not be productive. When updates break applications, the employees relying on those applications are not productive. While IT spends hours or days trying to roll back poorly executed application patching, the employees can’t move on with their work. When support teams or field technicians are re-imaging desktops because they cannot figure out an application issue, employees cannot be productive. It is not just net-new application deployments or deployments of updates that can be disruptive. Poorly packaged applications can lead to Windows rot, application conflicts, failed application uninstalls and degraded user experience through slow application launch times and slow logins.
Application issues are hard to identify and remediate, meaning they may not be accurately tracked in your IT Service Management product of choice. You may be significantly underestimating how much time and money your current application management tools and methods are costing you. For many enterprises, these issues are death by a thousand cuts. Containers are the best solution for handling application issues, as they prevent applications from being exposed to nefarious users or processes.
Running applications in containers provides granular control over what applications and user processes within the container session can do. For example, you can prevent a user or process running in the container space from copying data in the container to the local machine or outside the container in general.
Containers are designed to be like tiny little standalone virtual machines. In essence, they are like sandboxing technologies you are already using, but much more agile and inclusive of all applications. By acting like standalone VMs running on your desktops, you will never have an application remove a file required by other applications, leave files behind after removal, run into application conflicts, experience installation-related reboots, and many other common issues with other application package formats.
If you have used popular container formats like Docker, you already know how powerful containers can be in terms of providing a robust and highly scalable experience. With Docker, you can seamlessly scale up additional application services to meet demand as new users come online. This is possible because containers are lightweight and portable. Docker containers have enabled infrastructure teams to move on from the archaic need to build new hosts, build new database instances, new virtual machines, and more. Containers bring scale and portability benefits to Windows desktops too. Desktop teams can use them to dynamically deploy all applications to end users no matter what Windows desktop they are using; from a physical desktop in the morning to a virtual desktop in the cloud in the afternoon, to a published desktop hosted in the data center later in the evening. Containers for the desktop applications also provide that flexibility and resilience by enabling IT to quickly deploy application updates and even roll back application updates to a previous state within seconds.
Another thing Docker has always gotten right is how easy it is to automate container creation, container updates, and container management via a comprehensive list of available commands. If you can get that same intuitive automated process for desktop applications, you unlock the ability to handle application updates as they are made available, reducing the turnaround time for updates from 38 days to 1 or 2 days. Of course, another facet to consider is container orchestration. Having someone run commands on-demand to manage and update containers is not viable. A container orchestration product that makes application management easy, making it a must for IT administrators at every stage of their career.
Eliminate Application Patching by Modernizing with Containers
Enterprises must take a proactive approach to increasingly frequent application updates. Securing your enterprise containerizing your applications and automating the process is the way of the future. It’s time to retire application patching for good.
Containers are preferable over traditional exe and msi packages for timely application updates as they are designed to reduce the chances of disruption from bad packages or patches gone wrong. The ability to rapidly rollback to a previous state ensures downtime by a bad patch is kept to a minimum.
Container orchestration is also the true form of modern provisioning as containers can be quickly deployed, whereas other modern provisioning solutions bake in slowness due to how they handle traditional package types and their required timing intervals for managing the deployment process. With Windows 11 on the horizon, it is time to consider how you handle your applications going forward. Are you going to convince yourself you can modernize with solutions that are “good enough” or embrace containers to truly modernize your organization with the same fervor the elite companies have over the last 10 years with infrastructure management? Now is the time to decide.
Schedule a Demonstration
Sound too good to be true? We’d love to show you how it works in a live setting. Request time with our Solutions Architects to see the power of dynamic application updates, rollbacks, and recalls with Cloudpager in real time and leave application patching behind: