Why Microsoft Updates Are Not Enough: The Hidden Risk of Unpatched Applications

Why Microsoft Updates Are Not Enough: The Hidden Risk of Unpatched Applications

Application patching, third-party software updates and why every business needs a broader approach to cyber security.

For many businesses, “keeping computers updated” means one thing: installing Microsoft updates after Patch Tuesday. That is a good habit, and it remains an important part of cyber security. Microsoft’s monthly update cycle helps protect Windows, Office and other Microsoft products from newly discovered vulnerabilities. However, it is only one part of the picture.

The problem is that most computers do not just run Microsoft software. They also run PDF readers, web browsers, remote access tools, printer utilities, conferencing software, file compression tools, line-of-business applications, browser extensions, Java runtimes and many other third-party applications. If these applications are not updated, they can leave the computer exposed even when Windows itself is fully patched.

Patch Tuesday only covers part of the risk

Patch Tuesday has become a familiar routine for IT teams and business users. Once a month, Microsoft releases security updates that address known vulnerabilities across Windows and Microsoft products. Many organisations rely on this cycle and assume that if Windows Update says a device is up to date, the device is protected.

That assumption can be dangerous. Windows Update does not automatically update every application installed on a computer. In some cases, users must enable updates for additional Microsoft products separately. In many other cases, updates for non-Microsoft applications depend on the vendor’s own update mechanism, the user accepting prompts, or an administrator deploying updates through a separate patching tool.

This creates a common gap: the operating system may be secure, but the applications running on it may not be. Attackers know this. They often look for widely installed software that businesses forget to maintain, because one outdated application can provide a route onto the device, into user data, or deeper into the organisation’s network.

Third-party applications are a real-world attack route

Third-party application vulnerabilities are not theoretical. Security agencies and vulnerability databases regularly identify non-Microsoft software that has been actively exploited in the wild. CISA maintains a Known Exploited Vulnerabilities catalogue to help organisations prioritise flaws that attackers are already using, and it strongly urges organisations to make timely remediation part of their vulnerability management process.

A well-known example is Adobe Acrobat and Reader. PDF readers are installed on many business computers and are frequently trusted by users because PDFs are a normal part of everyday work. However, vulnerabilities in Adobe Acrobat and Reader have repeatedly allowed attackers to execute code when a user opens a malicious file. In 2026, CVE-2026-34621 was added to CISA’s Known Exploited Vulnerabilities catalogue; the National Vulnerability Database describes it as a flaw that could result in arbitrary code execution in the context of the current user, requiring the victim to open a malicious file.

Older Adobe Reader vulnerabilities show the same pattern. CVE-2023-21608, for example, affected Adobe Acrobat Reader and could also result in arbitrary code execution if a user opened a malicious file. This is exactly why PDF readers and similar applications must be treated as security-critical software, not as harmless utilities.

Adobe is not the only example. Adobe ColdFusion, Joomla extensions and other widely used software platforms have also appeared in active exploitation reports. In July 2026, CISA added vulnerabilities affecting Adobe ColdFusion, Langflow and Joomla page-builder extensions to its Known Exploited Vulnerabilities catalogue after evidence of active exploitation. These cases reinforce an important lesson: attackers do not care whether a vulnerability sits in the operating system, a browser, a PDF reader, a web platform or a business application. If it is unpatched and exploitable, it can become the way in.

Why application updates get missed

Application patching often fails because responsibility is unclear. Users may assume updates happen automatically. IT teams may focus on Windows updates and antivirus status. Business owners may not know what software is installed across their devices. Over time, this creates a patchwork of outdated applications, abandoned utilities and unsupported software.

There are several common reasons third-party applications fall behind:

  • Users dismiss or ignore update prompts because they are busy.
  • Applications use separate update mechanisms that are not centrally managed.
  • Some software requires administrator permissions to update.
  • Older applications remain installed even though they are no longer used.
  • Line-of-business software may be left untouched because people worry an update will break something.
  • IT reporting tools may not clearly show which third-party applications are out of date.

The result is a hidden layer of risk. A device can appear healthy because Windows is patched and antivirus is running, while still carrying outdated applications that are known to be vulnerable.

Cyber Essentials and the 14-day patching expectation

Cyber Essentials and Cyber Essentials Plus exist to help organisations protect themselves against common cyber threats and demonstrate that they take cyber security seriously. One of the core areas is security update management. Current guidance around Cyber Essentials highlights the importance of applying high-risk or critical security updates promptly, including updates for operating systems, firmware and applications.

This matters because Cyber Essentials is not just about ticking a box. It gives customers, suppliers and partners confidence that your organisation has basic but important security controls in place. A business that cannot identify and patch outdated applications may struggle to prove that it is managing its cyber risk effectively.

For organisations working towards Cyber Essentials or Cyber Essentials Plus, comprehensive application patching can make the assessment process smoother. It helps identify vulnerable software, remove unsupported applications, apply updates consistently and provide evidence that devices are being maintained properly.

What good application patching looks like

A good patching approach should do more than wait for users to click “update”. It should provide visibility, consistency and accountability across all devices. Businesses should know what applications are installed, which versions are running, which updates are missing and which devices need attention.

An effective process should include:

  • Regular scanning to identify installed software and outdated versions.
  • Centralised reporting so risks can be seen across the whole business.
  • Automated deployment of updates where practical.
  • Clear handling for applications that cannot be updated automatically.
  • Removal of unused or unsupported software.
  • Evidence and reporting to support Cyber Essentials and Cyber Essentials Plus assessments.

Most importantly, application patching should be treated as an ongoing security control, not a one-off clean-up exercise. New vulnerabilities are discovered constantly, and vendors release updates throughout the month, not just on Microsoft’s schedule.

Hackers and people with malicious intent are using AI to identify and expose security flaws in applications.  Anthropic's AI agents (Claude Mythos and Claude Code) identified hundreds of software vulnerabilities that humans missed for over two decade!  AI found something in a short space of time that humans had missed for more than 20 years.   Applications are not made from scratch, they are developed over time, meaning they are often built on previous versions of code, which means vulnerabilities can be tucked away inside.  What on the surface appears to be a brand new application, but look under the bonnet you'll find it is actually decades old in some places where old code has been reused in the new application.   

Fortunately Anthropic shared their findings with the application vendors and not the public, however it highlights how easy it is for AI to find and exploit these hidden vulnerabilities, which is why application patching, especially 3rd party applications that often get missed, is carried out regularly, and preferably, automatically.  

How The Silver Cloud Business can help

The Silver Cloud Business offers comprehensive application patching to help clients reduce avoidable security risks across their devices. Our service helps identify third-party applications that are out of date, prioritise updates, and maintain a stronger security posture across the business. 

Our automated patching service is minimally intrusive, yet offers peace of mind and helps organisations stay protected.  We can even roll back updates if it is temporarily causes issues, such as the new version having compatibility issues with older version data etc.

This service can also support organisations that want to achieve or maintain Cyber Essentials and Cyber Essentials Plus accreditation. By keeping applications updated and producing clearer evidence of patching activity, businesses can show customers, suppliers and partners that they take cyber security seriously.

Free application vulnerability scan

If you are not sure how many outdated applications are present across your computers, we can help. The Silver Cloud Business is offering everyone, who is interested, a free application scan to show how many applications are running older versions and where vulnerabilities may exist.

It is a simple way to understand your exposure, identify quick wins and decide whether your current patching process is enough. It's free, you have NOTHING to lose.

It doesn't cost anything, there is no obligation, it is to help you understand the current level of risk your organisation has in terms of exposure.

Call The Silver Cloud Business on 01722 411999 to arrange your free application scan.

 

Sources:  CISA Known Exploited Vulnerabilities Catalogue.  NIST National Vulnerability Database entry for CVE-2026-34621, Adobe Acrobat and Reader Prototype Pollution Vulnerability.  NIST National Vulnerability Database entry for CVE-2023-21608, Adobe Acrobat Reader Use-After-Free Vulnerability.  IASME and Cyber Essentials 2026 guidance on security update management and patching requirements.

Publish Date: Jul 14, 2026