The Average Windows 10 PC Has 14 ‘Weaponized’ Vulnerabilities, New Research Finds

New research, published today, gives food for thought. That food might well leave you feeling somewhat nauseous, however, if you happen to be a Windows 10 user. The report, ‘Prioritization to Prediction (volume 5): In Search of Assets at Risk‘, seeks to make some sense of the comparative risk surface of devices based on which operating system they are using.

Unsurprisingly, the research found that regardless of whether that operating system was from Apple or Microsoft, Linux and Unix platforms, or even Internet of Things appliances and other network devices, vulnerabilities were pretty much everywhere. But it’s the Windows 10 numbers that surprised me, and I’ve been hanging around the cybersecurity business for more years than I care to recall.

Crunching the vulnerability numbers

Those vulnerability counts will vary depending upon the precise “asset mix” you are talking about. Still, by crunching the numbers from nine million devices across 450 organizations, Kenna Security was able to put things into some context. Some rather disturbing context from the security perspective as far as Windows is concerned.

For more than half of those organizations, Windows 10 devices comprised 85%, or more, of the total assets being used. You would expect, given the number of machines involved, the vulnerability totals to be on the high side. I didn’t expect them to be quite as high as this study suggests, though.

According to Kenna Security, the total number of vulnerabilities on Microsoft machines came in at 215 million. I felt a but coming on at this stage, which was quickly answered by the next statistic: 179 million had already been patched. Which would be great were it not that this meant some 36 million vulnerabilities were still unpatched.

How does Microsoft stack up against Apple, Linux and Unix?

If you were hoping for the numbers to improve, there’s more bad news for Windows fans. That 36 million unpatched vulnerability total is more than those found on Linux, Mac, Unix and network devices combined.

To clarify, more than the total number of patched and unpatched vulnerabilities combined.

When talking specifically about Windows 10 PCs, the average number of weaponized vulnerabilities was 14 per desktop. That’s 14 open vulnerabilities with known exploits.

Of course, as the report explains, not all these machines will be internet-facing so that an attacker could probe them for vulnerabilities to exploit. And when it comes to the exploits, the research doesn’t differentiate proof-of-concept exploits from those already integrated into the tools such as Metasploit that are used by penetration testers and hackers alike.

It’s not all bad news for Windows

There is some more good news for Windows users to be found in the research. Most notably that the Microsoft machines were patched quickly.

Talking of which, network devices tend not to have as many vulnerabilities per month, an average of 3.6, but they took 369 days, again on average, to fix.

The speed at which Microsoft fixes critical vulnerabilities is remarkable

“With automated patching and Patch Tuesdays, the speed at which Microsoft is able to fix critical vulnerabilities on their systems is remarkable,” says Wade Baker, partner and founder at Cyentia Institute, which performed the independent data analysis for the report. Baker warned that things like routers and printers could have high-risk vulnerabilities with a much longer shelf life. “Companies need to align their risk tolerance, strategy, and vulnerability management capabilities around these trade-offs,” he concluded.

To which Ed Bellis, CTO at Kenna Security, added, “Some assets have fewer vulnerabilities. Some assets receive lightning-fast patches. These groups don’t really overlap. The data we’re sharing can help enterprise IT and security better decide how to prioritize asset-based risk in their own environments.”

At the end of this particularly complex security day, it all comes down to your appetite for risk tolerance and understanding of the strengths and weaknesses of each platform. Windows-based machines will, without a doubt, it would appear, expose your business to the most significant risk surface in terms of vulnerability numbers. But they will also maximize your chances of fixing those vulnerabilities in the shortest possible time, so shrinking the attack surface quickly.

Hey, nobody ever said that security was easy…

Hot this week

Compliance Alone Leaves You Vulnerable to Attack

Passing compliance audits doesn't prevent breaches. Learn why attackers target compliant organizations and how to build real security beyond checklists.

Your Vulnerability Management Is Broken Because of CVSS Blind Spots

Overreliance on CVSS scores creates vulnerability management blind spots that expose organizations to real risks. Learn how to prioritize based on business context and actual threats instead of arbitrary scores.

Why Perfect Security Is an Illusion and What to Do Instead

Chasing 100% vulnerability elimination creates false security. True protection comes from prioritizing business critical risks, implementing compensating controls, and building incident response resilience.

When Security Automation Creates Dangerous Blind Spots

Over reliance on security automation creates dangerous blind spots. Learn why human oversight remains irreplaceable and practical steps to balance both.

Why Over Trusting Cybersecurity AI Weakens Your Defenses

Over-reliance on AI tools degrades human security skills while creating new vulnerabilities, requiring balanced collaboration between analysts and technology.

Topics

Compliance Alone Leaves You Vulnerable to Attack

Passing compliance audits doesn't prevent breaches. Learn why attackers target compliant organizations and how to build real security beyond checklists.

Your Vulnerability Management Is Broken Because of CVSS Blind Spots

Overreliance on CVSS scores creates vulnerability management blind spots that expose organizations to real risks. Learn how to prioritize based on business context and actual threats instead of arbitrary scores.

Why Perfect Security Is an Illusion and What to Do Instead

Chasing 100% vulnerability elimination creates false security. True protection comes from prioritizing business critical risks, implementing compensating controls, and building incident response resilience.

When Security Automation Creates Dangerous Blind Spots

Over reliance on security automation creates dangerous blind spots. Learn why human oversight remains irreplaceable and practical steps to balance both.

Why Over Trusting Cybersecurity AI Weakens Your Defenses

Over-reliance on AI tools degrades human security skills while creating new vulnerabilities, requiring balanced collaboration between analysts and technology.

When More Security Tools Create More Risk

Adding security tools often increases risk through complexity. Learn how consolidation and staff training create stronger defenses than endless tool accumulation.

Firewalls Create Dangerous False Security and What to Do Instead

Firewalls create dangerous security illusions by focusing exclusively on perimeter defense while attackers exploit internal network vulnerabilities through lateral movement after inevitable breaches occur.

Why Perfect Security Is a Dangerous Illusion

Financial security teams waste resources chasing breach prevention when resilience and rapid recovery deliver better protection. Learn practical steps to shift focus from impossible perfection to manageable containment.
spot_img

Related Articles

Popular Categories