Vulnerability exploits remain an important mech- anism for malware delivery, despite efforts to speed up the creation of patches and improvements in software updating mech- anisms. Vulnerabilities in client applications are often exploited in spear phishing attacks and cannot be discovered using network vulnerability scanners. Analyzing their lifecycle is challenging because it requires observing the deployment of patches on hosts around the world. Using 5-year data collected on 8.4 million hosts, available through Symantec’s WINE platform, we present the first systematic study of patch deployment in client-side vulnerabilities. Our analysis of the vulnerability lifecycle of 10 popular client applications identifies several new threats presented by multiple installations of the same program and shared libraries that may be distributed with multiple applications. We find that 80 vulnerabilities in our data set affect common code shared by two applications. In these cases, the time between patch releases in the different applications is up to to 118 days (with a median of 11 days). Furthermore, as the patching rates differ between applications, many hosts patch the vulnerability in one application but not in the other one. We demonstrate two novel attacks that enable exploitation by invoking old versions of applications that are used infrequently, but that remain installed. We also find that the patch rate is affected by user-specific and application-specific factors; for example, hosts belonging to security analysts and applications with an automated updating mechanism have significantly lower median times to patch.