Not all assets are created the same, and the vendor you decide to place the trust of your organization’s security in might be a risky choice. A new report from Kenna Security takes a look at the risk landscape for Microsoft, Linux, and Mac assets.

The report, Prioritization to Prediction: Volume 5: In Search of Assets at Risk, was conducted by the Cyentia Institute. It is based on data from Kenna Security from 9 million assets from 450 organizations.

According to the report, 70% of Microsoft assets had at least one high-risk vulnerability. Throughout the study period, the researchers found 215 million vulnerabilities on Microsoft assets. 179 million of those vulnerabilities, or 83%, had been patched. According to Kenna Security, the remaining unpatched 36 million vulnerabilities were higher than the number of vulnerabilities on Max, Linux, and Unix assets combined. Forty percent of Linux and Unix assets and 30% of network appliances had a known vulnerability. 

Kenna Security noted that even though Microsoft has more vulnerabilities than others, that isn’t necessarily an indication of total risk, as Microsoft also fixes vulnerabilities faster. The report found that Windows-based assets have an average of 119 vulnerabilities per month, and those vulnerabilities are on average patched every 36 days. Compare this to network devices which had an average of only 3.6 vulnerabilities a month, but those vulnerabilities take about one year to patch.

The next highest patch rate was from Apple at 79%. Linux, Unix, and other network devices had a patch rate of 66%. 

“With automated patching and ‘Patch Tuesdays,’ the speed at which Microsoft is able to fix critical vulnerabilities on their systems is remarkable, but there still tend to be a lot of them,” said Wade Baker, partner and founder at Cyentia Institute. “On the other hand, we see lots of assets like routers and printers where high-risk vulnerabilities have a longer shelf life. Companies need to align their risk tolerance, strategy, and vulnerability management capabilities around these trade-offs.”