In the past, organizations patched only Microsoft operating systems. As time passed, the need to
patch Microsoft Office and later Internet Explorer, vulnerabilities became obvious, and organizations responded. In the past few years, 3rd party applications have become the primary attack vector for new malware primarily because many organizations have been slow to apply security updates to these applications. Many organizations are at an inflection point where addressing these security threats are no longer being viewed as optional. What follows is a brief summary of research findings that should be considered when determining whether organizations can accept the risk of relative inaction regarding 3rd party application patching.