A couple of years ago Dr Richard Clayton gave a talk at a Digital Safety Conference where he managed to reduce his list of security advice to users to one thing. That little thing he described as “patch your operating system”, but what he said is keep all your software up to date.
Now Dr Clayton knows a thing or two about computer security, and his talk is full of sage advice, so watch carefully:
There is a problem with his one piece of advice, which is you almost certainly won’t follow it! You won’t follow the advice, not because you are lazy (most of us are lazy), not because you are daft enough to think “why would they attack my computer?” (answer the bad guys give them US$0.15 per infected computer, never mind that they can then send malware to all your friends and family in your address book and in your social media accounts, or steal your credit card or Ebay fictitious items using your account and get paid to their paypal account after emptying yours), you won’t follow the advice because it is too difficult and time consuming.
Today I needed to check a website using Microsoft Internet Explorer 9, I logged into a machine running Microsoft Windows 7 (You need a recent version to even get the option of having Internet Explorer 9). Immediately I’m greeted by a dialogue saying would I like to update a 3rd party application. The system asks for a reboot afterwards. I then fire up the updater and tell it to install several hundred megabytes of optional updates including Internet Explorer 9 (which is still an optional update if you are sitting wondering why you still have the much slower and less featured IE8). These updates it appears require two further reboots to be applied, and also stops mid-way through to ask questions you won’t know the answer to in case like me you went off to do something else. Another third party application then asks for another update, and another reboot. I finally get to fire-up Internet Explorer 9 in anger to be greeted by various dialogues discussing the intricacies of which browser extensions work and don’t work with this version, the upshot of which is I get to reboot again.
So three quarters of an hour, and 5 reboots, and I can reasonably proceed with my work in relative safety and knowing my browser is shiny and up to date. However the machine’s software is far from up to date (and we haven’t even touched on things like the router’s firmware). If I wanted to get the rest of the software up to date I’d probably use a tool like the FileHippo Update Checker or a Secunia Software Checker.
The GNU/Linux distributions generally take a different approach to software distribution, where the system’s installer typically keeps every piece of packaged software up to date, but even here things like browser plug-ins can side step this approach, and one can install software outside of the packaging system although this is relatively rare and not the kind of thing expected of end users.
From a security perspective Dr Clayton is of course correct. Most of the problems due to malware exploit known vulnerabilities for which patches are available. Indeed the IT security crowd has a special phrase for an attack using a previously not known exploit “zero-day attack”, and it is an item of fear because in these days when malware uses multiple methods of attack the IT department may little idea what they need to do to detect and contain such a problem.
Until Microsoft Windows own updating tools that are built in and enabled by default update 3rd party software, and the 3rd party software vendors either flock to, or are compelled to use these tools, this “one little thing” will remain undone.
I had planned to touch on the impact of money, and software pricing, in regard to updates, but that’ll have to wait to another day.