Is it time to update my software?

Discussion in 'other software & services' started by securreten, May 13, 2010.

Thread Status:
Not open for further replies.
  1. securreten

    securreten Registered Member

    Joined:
    May 13, 2010
    Posts:
    21
    So I've been using few months outdated software on a machine I like to keep as secure as possible. Why? Guess my thought that constant updates mean more chance smth will get screwed up. For example I still run firefox 2 on it, the last version after which they stopped updates.

    If my priorities are security and privacy would you recommend me to update to newer version of firefox 3? If yes is going with the latest version on their site good?

    Other software I havent updated in a while are Sandboxie and flash by adobe. Same question, with security/privacy in mind should I update and if yes is going to the newest version of these apps best?

    Another app that I havent used and I need to start using is Internet Explorer. Which version would you recommend, again with security and privacy as priority, and how can I secure it properly? Havent used IE in ages so need lots of help on this one.

    Thanks.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    update all the software mentioned to the latest available version*. The versions you are using are riddled with security vulnerabilities.

    * what OS and is that at least patched/updated?
     
  3. guest

    guest Guest

    You made a BIG confusion, dude.

    Always update to the latest version of all software you have installed. Otherwise, you will be affected by old vulnerabilities that got fixed on latest releases.

    Always using latest versions dramatically improve security. This is a practice recommended by every security researcher and there are several studies that prove this to be true (besides countless real events).

    Use Secunia PSI to help you on this task, if you want: http://secunia.com/vulnerability_scanning/personal/
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yes, you absolutely should update to FF 3.6.x and - if the reason behind not updating is that you dislike the browser - simply switch to another browser. There are tons of vulnerabilities w/ active ITW exploits for FF2.

    (And yeah, Secunia PSI is very useful if you only update for security-related reasons.)
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    securreten, if your setup is working for you, then there's no urging need to switch. If you know what you're doing and how to behave, then it's really the matter of convenience. You can remain absolutely fine with super-ancient software, with just a bit of prudence.

    On Windows XP, I have IE6 and I never use it, so I don't really care.

    From what you're saying, you're sandboxing apps, so you're probably ok. You can blend similar LUA/permission solutions like SuRun or software policies, maybe Noscript for Firefox, etc, to get an even tighter grip on old software, if required. All in all, the security hype is overplayed.

    Mrk
     
  6. securreten

    securreten Registered Member

    Joined:
    May 13, 2010
    Posts:
    21
    Yeah I kinda agree with you and i use some of the things you mentioned. But on this system security/privacy is a priority for me so I'm trying to figure out if the possible bugs introduced with new updates (that may compromise security/privacy) are worth the extra security. For example there was some talk about how in ff3 some privacy issues showed up that weren't there with ff2.

    So is newer better speaking from strictly security/privacy point?
     
  7. securreten

    securreten Registered Member

    Joined:
    May 13, 2010
    Posts:
    21
    question for all

    Tnx for replies e1. Question for all

    What version of IE would you recommend with security/privacy as priority? And can you tell me how to secure the thing? I havent used it in ages and I may need to use it for few sites that deal with things like internet banking, so need pretty tight security there.

    btw I use win XP sp3.
     
    Last edited: May 14, 2010
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    IE6 - extremely sucky junk
    IE7 - eh... not really there
    IE8 - big improvement security-wise (but still not my cup of tea so I don't use it)
     
  9. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I agree that not updating is generally the wrong approach. While many updates bring new features, the vast majority of them are to fix bugs and security holes. Unless you have a specific reason for not updating, you should always update.

    But as a general course of action, IMO, sooner or later, not updating will bite you someday...
     
  10. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    Why not give SeaMonkey a spin. It's a lot like Fx 2 in a way.
     
  11. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Remember if you have unsecure software on your system even if you dont use it malware could. so its best to update to IE8 even if you never use it.
     
  12. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    No.

    Flash, ANY version, is full of holes. Adobe is always slow with patching their stuff, and some 'hackers' keep the vulnerabilities they found for themselves. Flash is also bad for privacy.

    Sometimes an older version of something is less frequently targeted.

    If you rely on Sandboxie for your security it's probably better to update it.
    I have no experience with Firefox.

    Securing IE ?
    If you go for IE 7 set the security settings for all zones to just below 'high'. Also, through privacy, advanced, you can set your browser to accept/block direct cookies, indirect cookies, session cookies. If I recall correctly it is somewhat bugged, so it's not completely reliable. But the automatic cookie policies are junk.

    I tried IE 8 once while troubleshooting and found it to be annoying. Supposedly IE 8 is safer. But does your hardware support DEP ? If not, I'm not sure IE 8 is safer.

    Note: it seems securing IE 7's settings can cause problems with Firefox.
     
    Last edited: May 14, 2010
  13. securreten

    securreten Registered Member

    Joined:
    May 13, 2010
    Posts:
    21
    I dont think my hardware supports dep its bit older. Thats that thing that prevents reading from the memory? I think I have it enabled on other com.
     
  14. securreten

    securreten Registered Member

    Joined:
    May 13, 2010
    Posts:
    21
    How about some security addons for IE8? Are there equivalents of noscript and adblock plus for IE8?

    Also since I only plan to use IE for only few sites is it possible to "lock it down" so it doesnt go anywhere else?
    Would this option interfere with programs that "utilize" IE in some form (in other words programs that dont launch IE but use its architecture somehow... like if you disable cookies in internet options they get affected).
     
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    WOT, Linkscanner, McAfee Siteadvisor...

    Adblock: Adblock for Internet Explorer is not an option

    For noscript and similar, would be pretty much pointless, use the stuff bundled w/ IE. Also, press F12 and play with that.
     
  16. guest

    guest Guest

    Yes, as long as the update brings security bug fixes/improvements (mostly of them are less or more related to this).

    Latest version, v8.

    IE8 has the very good SmartScreen filter bundled in, and you can install:

    WoT: http://www.mywot.com/
    Simple AdBlock (equivalent of AdBlock Plus): http://simple-adblock.com/
    SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

    About NoScript, you can get some of its protection in IE8 automatically though the XSS filters and manually by adding suspicious websites to the Restricted Zone and/or enabling InPrivate filtering.
     
  17. securreten

    securreten Registered Member

    Joined:
    May 13, 2010
    Posts:
    21
    Well I'm already finding issues which remind me why I hate updating so much...

    After I updated sandboxie and I'm already finding an issue. I can't seem to update firefox in sandbox. First I get bunch of warnings from sandboxie then firefox says update failed.

    So now we can't update firefox in sandboxie? This is bit frustrating as I as many have used sandboxie to experiment with firefox. Solutions?

    Another issue, tried to install fllash, their site took me to download some adobe download manager that doesnt seem to do anything.

    So now we gotta start using this adobe download plugin/addon thingy to update flash? Is a simple setup too much to ask these days? Any way around this? This download plugin/addon thingy doesnt look safe to me and besides I like to keep addons in firefox to minimum to avoid issue/security breaches. Help?
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Of course you can't. Would defeat the point of sandbox if you can rewrite the browser executable outside of it. To update, you need to run FF unsandboxed and let it do the update. Or, simply download the full installer instead to update.

    This ADM is extreme piece of junk. Just download the EXE installer from IE - choose other browser on the flash download page - and install it.
     
  19. securreten

    securreten Registered Member

    Joined:
    May 13, 2010
    Posts:
    21
    You misunderstood what I was saying. I said I've used sandboxie to test new firefox versions, betas or addons because I know they'll be gone after I clean the sandbox. Now this feature seems to be gone.

    Is this feature in the pay version now? I'm using the free one.

    Also as I don't use IE atm can anyone recommend trustworthy 3rd party site where I can get the flash from?
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I don't understand really. There never was any feature like that - this was and is still done by simply installing FF or whatever else into the sandbox. I.e., you need to run the installer itself sandboxed. If it doesn't work for you, then either your sandbox is configured in a way that prevents that (do not check any of the usual compatibility things in there, such as direct access to profile, bookmarks and whatnot) or you need be a whole lot more precise about the errors you get.
     
  21. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
  22. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    For IE 7 and probably IE 8 you can use the mvps HOSTS file.
    It cuts down on the tracking. You can't rely on it to protect you, but you'll see fewer ads.

    Of course, you need to update it frequently to get the most out of it !
    But that's easy.

    Why don't you use Returnil ?
    If you hate updating, maybe that program is a good choice. The paid version is said to have some extras.
     
    Last edited: May 15, 2010
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Completely irrelevant.

    Maybe a better analogy would be: would you drive a 9 year old car?

    Mrk
     
  24. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    the same must be true for other OS. Do you bother updating your systems, or your clients/customers or does the same advice applies?
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I know that you didn't mention Microsoft Office, but Microsoft Security Intelligence Report Volume 8 has some information that nonetheless may be of relevance to this discussion:

     
Loading...
Thread Status:
Not open for further replies.