Programs are leaky. Much like boats. Given enough time, all boats get leaks and need patched up. So do programs. They all have vulnerabilities that could give bad guys a way to gain access to your system. It’s just a matter of time until those holes are discovered.
A typical attack goes something like this:
- Bad Guy discovers a hole in Adobe Reader’s programming
- Bad Guy creates an evil PDF file that takes advantage of that vulnerability
- You have an old version of Adobe Reader that still has the hole in it
- You click on a link that opens Bad Guy’s PDF file on your computer
- Bad Guy’s PDF file runs it’s malicious code in your outdated Adobe Reader
- Your system is compromised
Now replace “Adobe Reader” in that scenario with any number of other programs. It applies everywhere. The more popular a program is, the bigger of a target it is.
How Do I Keep My Programs Updated?
When a software developer becomes aware of a vulnerability in their program, they have a responsibility to create a patch to fix it (some are quicker about it than others…). And unfortunately, it’s largely up to you to know when the patch is available and then to install it.
Some developers try to help you out by notifying you when an update is available. These are usually in the form of pop-up bubbles that say something like, “A new version of [program name] is available for download”. That means the version you have is outdated and needs fixed. Sometimes, they’ll even make the program update itself.
But not all developers do this and so it leaves you with the responsibility of periodically checking all your programs on your own. And let’s be honest, most people get as excited about spending their evenings updating programs as they would about doing taxes.
So how do we keep up with all the programs we have installed? Luckily, there are a number of solutions that do real-time monitoring of the programs on your computer and attempt to alert you when new updates are available. Then you just have to click the update button and in theory, you’re done. Some will even update them for you. Here are some of the best solutions.
Secunia PSI is a “set it and forget it” tool. It runs in the background, watching the programs on your computer and continually checks its online database to see if new versions are available. It even has the ability to update the programs automatically to help you out a bit.
Other neat features include a meter to indicate how critical the update is, and the ability to only scan programs on selected volumes if you have more than one hard drive in your computer.
The personal version of Secunia PSI is free for home users, but there are also licenses available for purchase if you’re a business.
How To Use Secunia PSI
FileHippo.com is a reputable online repository for programs. You can find almost anything there that you need.
What’s more, they’ve gone the extra mile and provided a very simple and lightweight tool that monitors your programs for updates. The list of programs it monitors is of course limited to the ones it hosts on its website. So it’s not an exhaustive database. But the list of programs it does support is still quite amazing.
I have noticed from personal use that FileHippo’s solution tends to have more up-to-date alerts thanks to how tightly it’s integrated with its own database. I usually become aware of updates with this tool before any other.
Antivirus software updaters
Many antivirus and internet security solutions now have included software updaters similar to Secunia and FileHippo. Check yours to see. They typically don’t include as robust of a program database as those listed above, but they usually keep track of the most vulnerable ones.
These may be redundant if you have the other ones installed, but it never hurts to have several solutions to keep an eye on things.
Of course, there’s the hands-on approach. It’s difficult to monitor every program you have to verify it’s updated. And really, who wants to spend the time doing it? But I would recommend at least checking the worst offenders ever so often. Right now, these are Java, Adobe Reader and Adobe Flashplayer. These have been better lately about updating themselves, but it doesn’t always work like it should.
At some point you will find yourself needing to do this because the automatic solutions listed above are not perfect. And remember, don’t install the new version unless you already have the program on your computer. If you don’t need it, don’t install it.
What About Zero-Day Exploits?
Now that your programs are all current, there is something else to keep in mind. Even if you’re diligent about keeping everything updated to the latest versions, it doesn’t mean you can relax.
It happens frequently that criminals discover a vulnerability in a program before the developers do. This gives the bad guys a humungous head start. These unknown vulnerabilities that don’t have patches yet are called zero-day vulnerabilities. It may take weeks or months before the developers catch on, and by then some real damage may have already been done.
So it’s important to never assume you’re completely safe. Just because you’re in a fortress doesn’t mean there aren’t ways to get in. They just may not have been discovered, yet. As always, good judgement is the best defense.
Commonly Attacked Software
- Java – Java is known to be the most attacked software on the internet
- Adobe Reader/Acrobat – The second most commonly exploited software
- Adobe Flashplayer
- Adobe Air
- Adobe Shockwave
- Internet Browsers (Firefox, Chrome, Internet Explorer, Safari, etc)
- Microsoft Office
- … and many, many more