Security: FOSS/CSS Updates – Are They Worth Anything?

The short answer: Updates are worthless if one does not apply them.

Once again I find myself cleaning malware off of a home user’s Microsoft based notebook PC. Once again, while it has anti-virus software installed it was infected by a “drive-by attack” from a web page. It was infected with the Antispyware Soft fake anti-malware nag and FUD software. The installed Norton Antivirus, which is up to date, did nothing to stop this attack and was then disabled after the malware got on the system. What happened?

As I type this article the notebook PC’s Microsoft system is downloading and applying updates. Many updates. At least a couple of years of updates. Maybe more than that. The IE browser was pre-IE8 and was not patched with security updates even then. The Firefox browser, which is set as the default, was also not up to date. If the system had not been infected and given into the care of my company to clean up it would likely never see another software update applied. Even though the system was set to download and apply updates automatically, the scheduled time was set for 3:00 AM. A time when this notebook PC owned by an older lady will never be on.

Unfortunately, on consumer desktop and notebook PC systems we in the IT community that services this market often find that software updates are not applied. This includes all software updates, not just those that apply to security flaws in software. It seems that in general people with home computers fall into these categories:

  • Ignorant that updates are needed to protect their PC from malware and fix known bugs in the software. These people never apply updates even if notices are popping up to inform them of updates. If the PC is infected they may be blissfully unaware they are using an infected PC.
  • Aware that updates are needed but lackadaisical about applying them. These folk put off updates for many reasons, but mainly because it is inconvenient to apply updates.
  • Aware that updates are needed and apply them regularly.
  • Absolutely fanatical about making sure updates are applied as soon as they are available.

It appears from my experience that the majority of non-technical end-users who end up with infected systems fall into the first category. The second category is a smaller group that have just been lucky to not yet have an infected PC. These two categories of users are almost all Microsoft operating system users. The latter two categories are the small group of users that are more technical and/or security conscious. The more security conscious but non-technical are usually those who have had to deal with a prior PC infection. The latter two categories rarely or never see an infection. The Open Source community of Linux users is generally more technical at this point and thus more likely to take updates seriously.

The main problem as I see it is one of education. A lack of training that emphasizes the importance of getting and applying software updates as soon as possible. Ignorance rather than sloth. There is no government required training course or license to use a PC as there is to drive a car. But I am not calling for government regulation because most government regulations are already too invasive and burdensome. The world needs less government and more personal responsibility, not more government oversight. The answer does not lie in some government regulation.

What can we do about this problem? I can think of at least two.

  • Those of us who sell to consumers PC systems with popular operating systems installed could take the time to explain to our customers the importance of software updates. We can make that part of the sale (Are you listening Dell? HP? Best Buy? WalMart?) instead of just “selling” Microsoft, Apple or Linux based PC systems and leaving the end-user ignorant. Instead of selling anti-malware as the answer to all malware woes we can be honest and admit that no software is able to make a PC perfectly safe (especially not Microsoft’s operating systems). Then emphasize the importance of getting and installing software updates as they become available. Inform the customer that security is a process, including an awareness of the need for security updates, not a product. Sure, there are still those consumer end-users who will not “get it” and will still not apply updates. But more people being made aware of the importance of software updates will mean more people are likely to take updates seriously and apply them.
  • Automate all updates by default in software on systems expected to be purchased and/or used by the average consumer. Even major updates like XP Service Pack 3 (do not change the original license terms thus requiring end-user agreement, Microsoft, and you can do this too). Then setting such automated updates to apply at some time when the computer is likely to be on. Perhaps default scheduling of the updates to start after the system has been on for half an hour instead of some fixed time in the wee hours of the morning when most home PC systems are off. With FOSS systems that use online software repositories this would mean almost all the software would be updated. The exceptions would be software that the user got outside the repositories. Yes, make this the default but leave options for the user to schedule updates or disable updates altogether. The user that has no clue will be a bit more protected by this proactive approach. The user that already is aware of the need for security processes will be able to handle this just fine.

Oh yes, if an automatic update that applies every update is selected we can be sure there will occasionally be hiccups in the process. The end-user should be informed of this probability up front. Not unpleasantly surprised after the fact.

If any of you have some interesting ideas about making average end-users aware of the importance of applying updates please feel free to post a comment. Comments that average end-users are all “morons” are unwelcome. Try to be a bit more thoughtful than that.

Unique accesses to this article:

free hit counter
free hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Share

Published by

Gene A.

Gene is a "Unix Guy", network technologist, system trouble-shooter and IT generalist with over 20 years experience in the SOHO and SMB markets. He is familiar with and conversant in eComStation (a.k.a. OS/2), DOS (PC, MS and Free), Unix, Linux and those GUI based systems from Microsoft. Gene is also a follower of Jesus (forgiven, not perfect), and this does inform his world view.

6 thoughts on “Security: FOSS/CSS Updates – Are They Worth Anything?”

  1. A great article. Thank you for putting this together. As a sysadm of 15+years experience, I’m definitely very sceptical about user training about security. They’re just not interested. So the onus must be on the manufacturer to ideally not sell faulty equipment, but as that’s apparently not realistic (even from multi-billion$$ companies), have a rigorous update facility enabled by default – as per your comments/suggestions above.
    This topic reminds me of how I got inspired to implement a backup regime many years ago.. I had to be stung before I listened to the good advice.

  2. There is also another category of users: those that explicitly do not want updates applied, knowing very well that some important piece of software they need won’t ever work with the updated version. Especially Windows/IE6.

    It’s not that they are lackadaisical about it; they just cannot afford a computer that doesn’t run their software. Some (like me) are even very annoyed by this, but what else can we do when we don’t control which software we have to use?
    I need my virtual XP with IE6 at work, I can’t keep my job without it.

  3. You’ve missed out a rather important point – there are many good reasons why people will actively /choose/ not to update their systems.

    Updates involve risks – there are things that can go wrong during the update, it might break existing hardware or software, or (on windows) it might trigger false-positives if you have a poor quality anti-virus program (that is to say, just about /any/ anti-virus program). Automatic updates can be a serious disruption to work when your PC decides when to install them.

    Why should you go to such an effort trying to fix something that is not broken?

    In reality, there are only a few sorts of programs that really should be updated regularly. Your web browser is one – you should update Firefox, Chrome, Opera or whatever regularly, as that helps protect against new browser attacks. If you are scanning email for viruses, you will want to keep that updated (but it is far better to let your ISP do the scanning).

    If you think that updating windows makes a significant difference to the security of your PC, you are either easily fooled by MS’s marketing department, or you are using your PC without any understanding of proper security.

    The way to protect your windows PC from worms and hacks is not windows updates, but by having a /real/ firewall between the internet and your computer. Such devices cost perhaps $50 – cheaper than subscribing to resource-wasting and irritating software “solutions”. It doesn’t matter how many holes your windows machine has – no external traffic gets to it anyway.

    The way to protect your windows PC from Internet Explorer holes is not to use Internet Explorer. Any other browser is a safer choice, and far easier to keep up to date (which you should do, for the browser).

    The way to protect against trojans, phishing, etc., is to use your head. No technical measures will help anyway.

    Windows updates are at best a false sense of security – because they are always playing catch-up once threats are found, you will never be protected against current threats. The same applies to anti-virus software and similar scanners.

    You can’t keep a system safe with a philosophy of letting everything in unless you know it is bad (the windows way) – you keep it safe by blocking everything unless you know it is good (a hardware firewall).

  4. I disagree with David for sure, most attacks these days seem to be more and more web based, drive-by’s and even phish schemes via web or xss/redirects and all of those are coming over ports 80 and 443 which in a hardware firewall are going to be 2 ports that you want open so you can get out to the internet in both unsecure/secure modes…basically negating that firewall altogether.

    The only secure system is the one not connected to the internet, but for those of us who live and work on the internet that’s not an option. So I tell my family to do the following, and this usually helps prevent infection in about 95+% of the time.

    1. Set up MS Windows OS to do updates at a time when they have the computer on but are not using it (Usually I tell them during supper/dinner time). That way they don’t miss updates like those setup at 0300. Also, they can/should turn on windows defender and firewall if they aren’t using other alternatives. (This is for the dumb average joe users in my family)

    2. Setup and run Secunia’s PSI (Personal Software Inspector) and keep it up to date. This tool goes out and searches the machine for all 3rd party non-MS applications and tells whats end of life, out of date and even has automated buttons to click to help them keep them updated (i.e. adobe, java, .net etc). There are some problems with it like having to manually uninstall some programs before you get a clean bill of health but its better then not doing it.

    3. Some sort of end point antivirus product be it free or payed for symantec, mcaffee, MS, Avast AVG or whatever they should have something there and keep it up to date.

    4. Use a browser other then MSIE, Like Mozilla firefox/chrome/opera and keep it up to date. My personal preference is mozilla FF running no script, anti spy/anti popup and finjan add-ons and i’ve never had a problem with infections while browsing even porn sites.. 😀

    5. This is where the dumb user/training yourself part comes in. Watch out for phishing. Don’t click on any emails you don’t know who they’re from, delete all junk mail and set up filters and don’t click on pop ups or links on websites always use alt f4 to close pages (never click anything not even the close button on a pop up).

    This saves me less then 5% of the time having to get calls from my brothers/sisters/in-laws and friends as the \family computer guy\ at 11pm at night on a friday while i’m watching my sci-fi because they got XSS’d into some fakeav site and now are having problems with their computer.

    Good article and I think it should be stressed that this won’t solve all the problems of the internet (i.e. zero days) but it goes a long way to helping keep the world clean of infection, one user at a time…

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow the directions below to post a comment if you are human. After 3 failed tries reload the page to start with new images.