The Desktop Software risk vector looks at a desktop device’s software version and compares it with the latest and currently available software versions to determine if the device software is supported or out of date. Download the endpoint OS-browser versions (ver. 09-APR-2025) list.
MacOS 10.15.7 is a capped version. Since we cannot determine if it’s past EOL or not, it is informational and not used for grading.
Desktop devices are laptops, servers, and other non-tablet, non-phone computers in a company's network that access the Internet. The outgoing communications from desktop devices include metadata about the device's operating system and browser version (endpoint data).
Risks
Newer versions of operating systems and web browsers typically fix stability issues, bugs, and vulnerabilities that existed in older versions. Bad actors frequently exploit known bugs in older software versions to steal information or run malicious software. The use of unsupported operating systems and browsers is correlated with the presence of a high number of malware infections and an increased likelihood of breach.
- If there are unsupported desktop devices in an organization's network, there is a greater risk of:
- System failure (vendor devices are not being maintained).
- Disruption of business continuity.
- Attackers may be able to use unpatched vulnerabilities to gain system access.
- Connecting a personal device to corporate network infrastructure adds a potential surface of attack for a threat actor to gain access to company data and sensitive information.
Grading
Concepts for assessing and grading Desktop Software:
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
Default Grade:
Behavior: This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade.
Either:
- There are no findings.
- The estimated number of users falls below a minimum threshold. To avoid sudden fluctuations, the risk vector is reassigned an A to F grade when the estimated number of users has stayed above the threshold for 65 days.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 65 Days
Weight
The Desktop Software risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.
Weight: 3%
Remediation
Resources
Recommendations
- Search and identify unsupported desktop software, and then update the software to the latest version.
- Set up auto-update methods for critical desktop software.
- Insufficient information prevents Bitsight from identifying unsupported software. The use of software device management systems is recommended, along with integrating human processes that ensures systems in the organization are patched and the software is up-to-date.
Finding Behavior
Rescan
The Bitsight platform regularly checks for new observations. A finding rescan updates findings as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
Behavior: This risk vector is not assessed using automated scans. Instead, our internal records are updated weekly based on data received from our partners. Learn how this risk vector is observed.
Automated Scan Duration: Not Applicable
User-Requested Rescan Duration: Not Applicable
Remediated
The finding is fixed. See what to do after remediation.
Behavior: There’s a grace period of 28 days for validating and updating software packages.
- April 14, 2025: OS & browsers list 09-APR-2025 version.
- April 9, 2025: OS & browsers list 02-APR-2025 version.
- April 3, 2025: OS & browsers list 26-MAR-2025 version.
Feedback
6 comments
Where is this information collected? Are these devices discovered to be associated with the vendor/company or is this noting that the vendor/company simply allows connections from unsupported versions?
Hello KyleP. Our data partners provide us with the user-agent string from endpoint clients that are loading the content, which includes information about the operating system, the device name (for mobile), browser information (IP address and cookie data). You can learn more here: How are the Desktop Software and Mobile Software Risk Vectors Observed?
Please, can we have a monthly update of " endpoint OS-browser versions list." ?
Hello José. The OS-browser versions list is new as of February 2024. We are still working out the cycle on when and how often to update this. In the meantime, I will check on if there's a newer version available at the moment.
Ingrid, if the issue gets remediated, what would the process be for updating the information on BitSight? Are you able to provide more information?
Sharoon Reyes I think you may be referring to finding refresh, which is when the Bitsight platform checks for new observations and then update the findings as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
For the Desktop Software risk vector, we check our internal records on data received from our partners on a weekly basis.
Please sign in to leave a comment.