Is it time to update my software?

According to Microsoft Security Intelligence Report Volume 8, of threats hosted at URLs blocked by Internet Explorer's SmartScreen Filter, sites attempting exploits more than doubled (to 13.3%) in the second half of 2009 vs. the first half of 2009.

According to Symantec Global Internet Security Threat Report Volume XV,

 

=promoting crackers agenda

 

I cannot discuss clients/customers, but I can tell you that it does not matter what you use, it's how you use it.

Mrk

 

that reminds me of size doesn't matter it is how you use it
Seriously though, I think it is easier not to, at least, worry about unpatched system/software. Simply by using updated version and worry, if at all, about other aspects of running the systems/software well and secure

 

Oh yea, tell this, for example, to infected flash animations that load malware automatically exploiting vulnerabilities in old versions of the flash player plug-in that many people still use. Another example: your favorite white-listed site on NoScript gets invaded

Do I need to tell more? With such irresponsible advises I think that you're indeed promoting crackers agenda.

To update software and maintain it regularly updated (specially security updates) is the rule number 1 of pc security, it's even more important than having an AntiVirus, for example, and it doesn't matter how skilled is the user.

 

Updates have three aspects: 1) security 2) stability 3) unknown changes. You need to weigh these against what you want/require and see what gives. Sometimes, you may prefer old and stable, sometimes new and shiny, sometimes security. It depends on the situation, user, etc.

I prefer to rely on generic strategy than pinpoint tactics. In general, updates are ok, but there are exceptions. Furthermore, it does not mean that if you do not update, dragons will eat you. Further yet, your strategy has to be such that even if updates are taken out of the equation, you're ok, otherwise you have a single point of failure.

Mrk

 

Your advice for a very informed user is something that they could live with. But for most users, I don't believe it is. I consider myself to be more knowledgeable than average but I often have no idea when an update is is going to be #3. But I do updates because there are hungry dragons. And for most users that barely cover the basics of security (an up-to-date AV/AV Suite), they are particularly at risk for #1 and #2.

 

tnx for the reply.

So are you saing it was never possible to update firefox (example from 3.4 to 3.5 or whatever) in the sandbox to test newer versions? You always had to do complete install from scratch is the sandbox? I recall being able to try out the newer versions of ff but this was while ago so maybe I'm wrong.

Can anyone chime in on this?

Also as I don't use IE atm can anyone recommend trustworthy 3rd party site where I can get the flash from?

 

What you say is exactly the problem. Most people have no idea how why and when a particular update is going to do anything good or bad for that, except the belief that things are expected to work ok.

If you have no idea what will happen after you update, the question is, are you prepared for every eventuality? If you are then, 1 is no longer a problem and 2 requires extensive testing, but still you have a known baselines to go back to.

AV suite you mention is but a speck on the long list of tactical tools, none of which provide the user with understanding or promise of 1-3. This is why saying that updates will work or won't work is meaningless.

And what hungry dragons are there, exactly?

Mrk

 

You cannot simply patch FF installed outside of sandbox. The updates do binary patching. So, even if they don't crap out at that moment, just thing about the process. It's gonna create a patched copy of firefox.exe inside the sandbox. Now you need to restart. Once you've restarted, you run the %ProgramFiles%\Mozilla Firefox\firefox.exe and not %SANDBOX%\%ProgramFiles%\Mozilla Firefox\firefox.exe. So, are you expecting the already running process that gets chrooted (sandboxed) by SBIE to somehow magically replace itself by a different version that's in the sandbox?

 

This is one of the biggest ones I can remember. http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

 

So, HAN, the biggest dragon was 5 years ago ...
Statistically, you have more chance of dying from <car crash/cancer/war> than that.
Mrk

 

That's a ridiculous analogy, plus any exploit that affect an user can be considered a dragon.

Consider security flaws in old versions of third-party software that are widely exploited.

By acting as you recommend ("don't care about updates after all you never know what will happen"), an user of Adobe Reader or Adobe Flash Player, for example, would be vulnerable to them and would get malwares easily simply by surfing the web (no matter what browser).

(Don't start the talk about NoScript, as it has security flaws too + users can be misled to white-list malicious sites on it + white-listed trusted sites can get invaded)

And remember that we are talking about updates made by big companies (Adobe, Microsoft) with budget that allow them to maintain several teams of programmers, testers, etc.

I'm not saying that updates made by the big players are always perfect, after all they are made to incredibly big and diverse audiences so that 100% perfect would be really nearly impossible.

But I'm sure that you can expect overall bigger quality/stability than the average new available package on your favorite Linux distribution's update manager (I'm even starting to suspect that your dangerous opinion regarding updates derives from bad experiences on the penguin side).

 

Maybe so (I hope not!) My point was that they do happen. My example was a major one. There are much smaller ones from time to time (I do agree they have much smaller damage potentials.)

 

More relevant information from Microsoft Security Intelligence Report Volume 8: