Is it time to update my software?

So I've been using few months outdated software on a machine I like to keep as secure as possible. Why? Guess my thought that constant updates mean more chance smth will get screwed up. For example I still run firefox 2 on it, the last version after which they stopped updates.

If my priorities are security and privacy would you recommend me to update to newer version of firefox 3? If yes is going with the latest version on their site good?

Other software I havent updated in a while are Sandboxie and flash by adobe. Same question, with security/privacy in mind should I update and if yes is going to the newest version of these apps best?

Another app that I havent used and I need to start using is Internet Explorer. Which version would you recommend, again with security and privacy as priority, and how can I secure it properly? Havent used IE in ages so need lots of help on this one.

Thanks.

 

update all the software mentioned to the latest available version*. The versions you are using are riddled with security vulnerabilities.

* what OS and is that at least patched/updated?

 

You made a BIG confusion, dude.

Always update to the latest version of all software you have installed. Otherwise, you will be affected by old vulnerabilities that got fixed on latest releases.

Always using latest versions dramatically improve security. This is a practice recommended by every security researcher and there are several studies that prove this to be true (besides countless real events).

Use Secunia PSI to help you on this task, if you want: http://secunia.com/vulnerability_scanning/personal/

 

Yes, you absolutely should update to FF 3.6.x and - if the reason behind not updating is that you dislike the browser - simply switch to another browser. There are tons of vulnerabilities w/ active ITW exploits for FF2.

(And yeah, Secunia PSI is very useful if you only update for security-related reasons.)

 

securreten, if your setup is working for you, then there's no urging need to switch. If you know what you're doing and how to behave, then it's really the matter of convenience. You can remain absolutely fine with super-ancient software, with just a bit of prudence.

On Windows XP, I have IE6 and I never use it, so I don't really care.

From what you're saying, you're sandboxing apps, so you're probably ok. You can blend similar LUA/permission solutions like SuRun or software policies, maybe Noscript for Firefox, etc, to get an even tighter grip on old software, if required. All in all, the security hype is overplayed.

Mrk

 

Yeah I kinda agree with you and i use some of the things you mentioned. But on this system security/privacy is a priority for me so I'm trying to figure out if the possible bugs introduced with new updates (that may compromise security/privacy) are worth the extra security. For example there was some talk about how in ff3 some privacy issues showed up that weren't there with ff2.

So is newer better speaking from strictly security/privacy point?

 

question for all

Tnx for replies e1. Question for all

What version of IE would you recommend with security/privacy as priority? And can you tell me how to secure the thing? I havent used it in ages and I may need to use it for few sites that deal with things like internet banking, so need pretty tight security there.

btw I use win XP sp3.

 

IE6 - extremely sucky junk
IE7 - eh... not really there
IE8 - big improvement security-wise (but still not my cup of tea so I don't use it)

 

I agree that not updating is generally the wrong approach. While many updates bring new features, the vast majority of them are to fix bugs and security holes. Unless you have a specific reason for not updating, you should always update.

But as a general course of action, IMO, sooner or later, not updating will bite you someday...

 

Why not give SeaMonkey a spin. It's a lot like Fx 2 in a way.

 

Remember if you have unsecure software on your system even if you dont use it malware could. so its best to update to IE8 even if you never use it.

 

No.

Flash, ANY version, is full of holes. Adobe is always slow with patching their stuff, and some 'hackers' keep the vulnerabilities they found for themselves. Flash is also bad for privacy.

Sometimes an older version of something is less frequently targeted.

If you rely on Sandboxie for your security it's probably better to update it.
I have no experience with Firefox.

Securing IE ?
If you go for IE 7 set the security settings for all zones to just below 'high'. Also, through privacy, advanced, you can set your browser to accept/block direct cookies, indirect cookies, session cookies. If I recall correctly it is somewhat bugged, so it's not completely reliable. But the automatic cookie policies are junk.

I tried IE 8 once while troubleshooting and found it to be annoying. Supposedly IE 8 is safer. But does your hardware support DEP ? If not, I'm not sure IE 8 is safer.

Note: it seems securing IE 7's settings can cause problems with Firefox.

 

I dont think my hardware supports dep its bit older. Thats that thing that prevents reading from the memory? I think I have it enabled on other com.

 

How about some security addons for IE8? Are there equivalents of noscript and adblock plus for IE8?

Also since I only plan to use IE for only few sites is it possible to "lock it down" so it doesnt go anywhere else?
Would this option interfere with programs that "utilize" IE in some form (in other words programs that dont launch IE but use its architecture somehow... like if you disable cookies in internet options they get affected).

 

WOT, Linkscanner, McAfee Siteadvisor...

Adblock: Adblock for Internet Explorer is not an option

For noscript and similar, would be pretty much pointless, use the stuff bundled w/ IE. Also, press F12 and play with that.

 

Yes, as long as the update brings security bug fixes/improvements (mostly of them are less or more related to this).

Latest version, v8.

IE8 has the very good SmartScreen filter bundled in, and you can install:

WoT: http://www.mywot.com/
Simple AdBlock (equivalent of AdBlock Plus): http://simple-adblock.com/
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

About NoScript, you can get some of its protection in IE8 automatically though the XSS filters and manually by adding suspicious websites to the Restricted Zone and/or enabling InPrivate filtering.

 

Well I'm already finding issues which remind me why I hate updating so much...

After I updated sandboxie and I'm already finding an issue. I can't seem to update firefox in sandbox. First I get bunch of warnings from sandboxie then firefox says update failed.

So now we can't update firefox in sandboxie? This is bit frustrating as I as many have used sandboxie to experiment with firefox. Solutions?

Another issue, tried to install fllash, their site took me to download some adobe download manager that doesnt seem to do anything.

So now we gotta start using this adobe download plugin/addon thingy to update flash? Is a simple setup too much to ask these days? Any way around this? This download plugin/addon thingy doesnt look safe to me and besides I like to keep addons in firefox to minimum to avoid issue/security breaches. Help?

 

Of course you can't. Would defeat the point of sandbox if you can rewrite the browser executable outside of it. To update, you need to run FF unsandboxed and let it do the update. Or, simply download the full installer instead to update.

This ADM is extreme piece of junk. Just download the EXE installer from IE - choose other browser on the flash download page - and install it.

 

You misunderstood what I was saying. I said I've used sandboxie to test new firefox versions, betas or addons because I know they'll be gone after I clean the sandbox. Now this feature seems to be gone.

Is this feature in the pay version now? I'm using the free one.

Also as I don't use IE atm can anyone recommend trustworthy 3rd party site where I can get the flash from?

 

I don't understand really. There never was any feature like that - this was and is still done by simply installing FF or whatever else into the sandbox. I.e., you need to run the installer itself sandboxed. If it doesn't work for you, then either your sandbox is configured in a way that prevents that (do not check any of the usual compatibility things in there, such as direct access to profile, bookmarks and whatnot) or you need be a whole lot more precise about the errors you get.

 

Would you drink 9 year old milk?

 

For IE 7 and probably IE 8 you can use the mvps HOSTS file.
It cuts down on the tracking. You can't rely on it to protect you, but you'll see fewer ads.

Of course, you need to update it frequently to get the most out of it !
But that's easy.

Why don't you use Returnil ?
If you hate updating, maybe that program is a good choice. The paid version is said to have some extras.

 

Completely irrelevant.

Maybe a better analogy would be: would you drive a 9 year old car?

Mrk

 

the same must be true for other OS. Do you bother updating your systems, or your clients/customers or does the same advice applies?

 

I know that you didn't mention Microsoft Office, but Microsoft Security Intelligence Report Volume 8 has some information that nonetheless may be of relevance to this discussion: