Friday, May 28, 2010

Software - Silent, Deadly and On Your Machine

While my other blog is read-only during the migration to another platform I thought I would blog a little more frequently of the things I saw float by on Twitter this morning was this link about Adobe going to a more frequent patching schedule.

I made the obligatory joke about Adobe going to a daily patch schedule simply because of all the security bugs they've had issues with lately - but seriously, there are bigger problems than Adobe.  You may be saying to yourself - "What's worse than Adobe's current security problems?!" Good question.

Think about how much software you have on your desktop, laptop or whatever you're reading this on right now.  Now, go look.

So did you discover a ton more software than you knew was installed?  What about all those people who bought their computers at Best Buy, "pre-loaded" with dozens of apps they may or may not even know are on their computer.  So what about the patch cycles for all those apps?

You think Adobe has a bad rap for all the security vulnerabilities they include free in their apps, but that's kind of like everyone picking on Microsoft a while back.  When you're the most popular kid on the block you come under more scrutiny, and are picked on more than everyone else... which I guess is fair if you want to be #1.  It's not how bad your software is, necessarily, it's how you handle it.  Now, I'm not defending Adobe's record - because we all know how awesome that has been lately - but think about everything else out there!

How often do you check for updates on some of the software on your computer?  Ever?

More and more, software is moving to an auto-update model where it "checks in" every so often to the home base to check for updates, security or otherwise.  These pop up on your screen and I would venture to say that a good majority of people ignore the request for updates (these pieces of software have to ask for permission to update).  So silently, your computer has a ton of vulnerabilities you're not aware of that probably aren't patched.  Awesome.

So ... the next time you're ripping on Microsoft, Adobe or some other super-popular software about all the bugs they're patching - think for one second about all the other software that's on your computers that are rarely (if ever) patched.  How 'bout those bugs?


Unknown said...

and how bout the minority of overall systems they are on vs something like adobe products... i hate to say it to some extent but companies need to take a leaflet from google, chrome auto updates without telling me it updated, next time i run it its the new version, plain and simple and updates are pushed fast... ummm... arent most end users we deal with more or less able to qualify as retarded? i know mine are at least...

Scott said...

When considering that (security?) bugs exist in any software you may have on your computer, they are only interesting in the context of whether they can be exploited by an attacker. Today's environment only permits that to occur when A) the software runs as a network service and is able to receive connections/data from any source, or B) the software is invoked based on user content, i.e. opening a document or media file. This can be broken down into B1) software that loads as a result of a network client (i.e. your web or email client), or software that opens as a result of receiving files from outsiders (i.e. opening an email attachment or a downloaded file).

I would advise that you can categorize software by risk of receiving malicious input - network services followed by network clients, network client plugins, and finally file processing programs. Review these programs and make sure they are methodically updated, in decreasing order of risk.