You’re browsing around online when suddenly Chrome gives you a warning that says “Java was blocked because it is out of date,” along with the choice to either update the plug-in or just run the old version. Or you go into iTunes only to get this message, “A new version of iTunes is available. Would you like to download it now?”
Well, frankly, you don’t—doing so is an interruption and it can take time. The process of updating Java the last time I did it took nearly five minutes and don’t even get me started on iTunes—that’s an even lengthier ordeal.
These are only a couple examples, but in reality it can seem as if you’re constantly being prodded to update software on your computer.
It’s not that Adobe, Apple and the like are trying to be a pain, they just want to protect you. Updates contain important changes to improve the performance, stability and security of the applications that run on your computer. Installing them ensures that your software continues to run safely and efficiently. Keep in mind that many web exploits look for outdated software with unpatched security flaws. This especially holds true for operating system updates. If Microsoft and Apple say they're recommended, not tagged as optional, you should definitely install them. Even the optional updates are a good idea.
In September, Microsoft released a security advisory regarding a vulnerability in Internet Explorer versions 6 through 9.
“Just visiting a compromised website with a vulnerable version of Internet Explorer can allow attackers to access to your computer and install software that steals your personal information. Being infected like this is known as a drive-by download. The software that infects computers through this vulnerability collects information, including user names and passwords for various sites, including bank and email accounts,” reports CITES Security.
Google Chrome, Microsoft Internet Explorer and Mozilla Firefox all default to automatically update themselves on your machine, although all three let you opt out of automatic updates. Obviously, they don’t recommend doing so.
I spoke with Roel Schouwenberg, a senior anti-virus researcher for the computer security firm Kaspersky Lab, about the subject.
He said the unpatched software most targeted by web exploits are Java (56%), Adobe Acrobat Reader (25%), Windows and Internet Explorer (4%), Adobe Flash (3%), Android Root (2%) and other (11%).
Here’s what I asked him:
CD: How do people know which updates they need to be doing?
RS: Well, there are a bunch of different ways you can go about it. The easiest way is to have a piece of software which scans your machine and says “Hey, this software is outdated.” That is one of the approaches we take. We have this small button that says “Scan for vulnerable software [and] you need to update your Flash or whatever.”
The alternative is trying to maintain that yourself. It really isn’t something you want to do. You have dozens of applications installed and especially with the fake update messages I think it’s only something for professionals. (He’s talking about the Facebook scam where you click on a link--such an enticing story that claims someone famous dying--and you come to a page that asks you to sign in to Facebook again and update your YouTube player, both of which not being legitimate pages.)
So the third way to go and it’s really cutting corners is [to] focus on your Microsoft updates, Windows updates and Office updates as well as your Adobe Flash, Adobe Reader and Java because those are basically most targeted. But they’re not the only targets. But [generally], if you want to go after everything as an inexperienced person you’re probably best off to have a piece of software tell you, “Hey you, this is important--you need to update this.”
CD: So if people use security software to help, would those updates happen in the background when they’re sleeping or otherwise not using their computer? A lot of people don’t like waiting around for an update when they’re using their machine.
RS: I think in pretty much all cases you still need to do something to some extent--it varies. But it’s not a fully automated process in most cases.
CD: So what would you say to the people who say “I don’t want to waste time on this. It takes a half an hour for iTunes to update.”
RS: Well, at that point you’re at significant risk of infection and even though there are lots of other protection methods out there [and] we can do a lot of interesting things, nothing beats an actual software update. A software update fixes the vulnerability, plugs the hole.