You’ve installed antivirus software on your computer. You have a good firewall on your PC or home Internet gateway, and you leave it turned on.
And you never open attachments from unknown sources or click on email links that look suspicious.
Yet your computer still has managed to get infected by viruses, Trojans and other forms of malware. How could that happen?
You may have been overlooking the annoying but often crucial update alerts that pop up from time to time on your computer screen.
Chances are that you’ve been busy or didn’t want to be bothered, and you’ve clicked the “Install Later” button when the dialogue box has appeared — and then forgotten all about the warning.
However, those updates usually include patches that fix vulnerabilities in the software. Those patches in turn help your antivirus software, your firewall and all of your other security measures to do their jobs.
Unpatched software, on the other hand, can let the malware right in.
Stale software leads to problems
Few people even have their Web browsers fully patched, as a recent survey found.
In fact, said Bradley Antis, vice president of technical strategy at Orange, Calif.-based M86 Security, the 15 software vulnerabilities that were most often exploited in the second half of 2010 could have been stopped dead in their tracks — all already had been patched by their vendors.
The vulnerabilities continued to spread only because countless PC users didn’t bother to update their software, leaving enough unpatched machines on the Internet to allow the exploits to thrive.
“Software is developed in iterations,” said Catalin Cosoi, head of the online threats lab at Bucharest, Romania’s BitDefender. “Each iteration brings new features [and] added functionality and solves issues from previous iterations.”
“By not performing all updates and sticking with old versions of the product,” Cosoi said, “users are exposed to security breaches or using deprecated [out-of-date] functionality.”
According to Satnam Narang, threat analyst at M86 Security, one of the more notable under-patched vulnerabilities was the Internet Explorer vulnerability used in the " Operation Aurora " attacks against Western corporate networks in 2009 and 2010.
“Another one, more recently noted,” Narang said, “was an Adobe Flash zero-day vulnerability that was recently discovered to have been exploited in the targeted attack against RSA,” the security-token vendor. The vulnerability was quickly patched last month.
The software program itself will usually alert you of the need to update, said Narang.
“The applications themselves usually provide users with a dialogue window informing them of an update to their software applications,” he explained. “Some apps provide a silent update process, such as Google Chrome, to ensure that users are running the newest version of the browser.”
The most desirable way for a product to stay updated is if the user doesn’t get involved, Cosoi pointed out.
“Each time there is a new update available, the software will download the update and perform the install,” he said. “Other ways consist [of] automatically checking if there are any new updates available and asking the user if he wants to update, or letting the user do all the work by manual on-demand updates.”
Before updating software, it is a good idea to back up the computer’s data, especially if the update involves the operating system.
Closing the browser or other applications during the update is also recommended, so that no critical data is lost during the update.
Security companies understand that the average user may not know when his or her computers are at risk — so they provide a little extra help.
BitDefender’s security suite contains a vulnerability scanner, which will alert users if some of the software they use is out of date, including browsers.
And the Vulnerability Antidote found in M86's Secure Web Gateway solution can help take the pressure off by being able to block any attempted attacks using known vulnerabilities at the Web gateway.
The general rule of thumb is to always accept the “Install Now” alert, even though there are a few instances where it may be better to wait.
“Java has a big problem here,” said Antis. “Sometimes updating your Java installation to a newer, patched version can break some of your current legitimate Java applications, forcing you then to either roll back the update or wait for that application vendor to issue their update.”
Otherwise, the times to avoid an install are rare. Most postponements involve “beta” updates that add new features, said Cosoi.
“Users are alerted, however, that the update is not yet stable,” he said, “so it is their choice if they decide to install this update or they wait for the stable update.”
So next time one of those annoying update-alert windows pops up, don’t ignore it. Let the update happen. You’ll be glad you did.