According to a report from Danish security vendor Secunia, as many as one third of the applications in use on corporate networks are vulnerable to critical attacks. According to this SC Magazine article, Secunia sites deficiencies in commonly used vulnerability scanners as the culprit. Their point of view is that most vulnerability scanners are only designed to scan for vulnerabilities in the top 20 to 50 applications in use. More obscure products are not scanned and may have unidentified critical vulnerabilities, exposing the network to compromise or exploit. From a risk analysis perspective though, the approach of the vulnerability scanner vendors seems sound enough. The reason that a vulnerability scanner vendor might not bother to scan for an obscure application used by only a fraction of a percentage of corporations is the same reason that it is unlikely that an attacker would exploit it. Attackers are often lazy and use automated tools to identify targets. They tend to seek out exploits that can be leveraged or used against a wide variety of targets. While a flaw in an obscure program might be critical to the fraction of a percent of the companies that use that program, it is relatively unlikely that the average attacker would ever identify or exploit the flaw. I am not advocating simply ignoring these flaws. I do think companies should be aware of the vulnerabilities that affect their network and that steps should be taken to remove or mitigate weaknesses. I am just pointing out that vulnerability scanning and patching efforts should be invested first and foremost in the threats most likely to be exploited, which probably do not include these more obscure applications unless it is a fluke or a highly targeted attack.