As we explore the machinations of how to hack various operating systems and configurations of applications, browsers, et al., I thought it might be useful and enlightening to look at what operating systems our targets are actually running.
This audience at Null Byte, being relatively young and computer savvy, tend to be running the latest and greatest operating systems and apps, but we can't assume the same is true for our potential targets.
Let's take a look at some current data on operating systems, web servers, browsers, and mobile operating systems, rather than assume that everyone is running the latest, greatest and most secure operating systems. In this way, we can get an idea of what operating systems we should focus our skills on in developing our attack scenarios.
Desktop and Clients
- Windows 7 - 47.5%
- Windows XP - 29.2%
- Windows 8 - 6.6%
- Windows 8.1 - 3.9%
- Windows Vista - 3.3%
- Mac OS X 10.9 - 3.2%
- Linux - 1.6%
- Other Mac OS X versions - 4.5%
You might be surprised that almost 30% of all desktop systems are still running Windows XP, despite the fact that Microsoft will be discontinuing support in April 2014.
I can tell you from my experience at some major corporations and military installations that there are MANY Windows XP systems in those "secure" environments. Apparently, these institutions assume that the transition costs are greater than the potential security risk. Furthermore, Windows XP remains very popular in many developing nations and among pirated copies, which are not reflected here in these figures.
The other thing to note here is that nearly 8% of the client computers are running a version of Mac OS X. Due to a misconception perpetuated by Mac users and salespeople, many Mac users believe that their systems are impervious to hacking and viruses and as such, and a result, don't run antivirus software or other security measures.
Web Browsers
- Internet Explorer 8 - 21.2%
- Firefox 26 - 13.4%
- Internet Explorer 11 - 11.5%
- Internet Explorer - 10 9.8%
- Internet Explorer - 9 8.9%
- Chrome 32 - 6.79%
- Chrome 31 - 6.62 %
- Internet Explorer - 6 4.5%
- Internet Explorer 7 - 2.5%
- Other - 32%
Notice that the most widely used browser is still IE8, despite all its security vulnerabilities, with over 1 in 5 computers still running this browser. If we include IE6 and IE7, over 28% of computers are running these highly vulnerable browsers.
Web Servers
- Apache - 41.6%
- Microsoft's IIS - 29.4%
- Nginx - 14.4%
- GWS - 2.5%
Interestingly, despite all the security problems Apache has had recently, fewer than 1% of the busiest websites are running the newest version of Apache 2.4.x. That's an awful lot of vulnerable web servers!
Mobile Operating Systems (by Browsing)
- iOS - 54.5%
- Android - 34.6%
- Java ME - 4.3%
- Symbian - 3.4%
- Blackberry - 1.5%
- Windows Phone - 0.6%
iOS and Android comprise over 90% of all browsing by mobile devices. Obviously, that is where we should focus our attack efforts.
I hope you find this information enlightening as far as what operating systems, web servers, and browsers are being used by the general public. I feel that many of us lose sight that the rest of the world is not necessarily running the latest and most secure software.
All the better for us.
6 Responses
... Just wow. This is a brilliant read as I have always been under the impression that people update regularly....
That why I wrote it, to dispel that myth.
I wasn't expecting IE8 to be the most popular browser.
I have a feeling this was somewhat inspired by my post on Apple, it's great information to have. Thank you.
And military organisations honestly still use XP? Really? That blows my mind, I would have thought they were running the latest Windows OS.
ghost_
Ghost:
You are right. The section about Apple was inspired by your post. Thanks!
The military has significant transition costs and they are usually the last to upgrade. They depend upon perimeter defenses for security.
OTW
interesting...
Share Your Thoughts