At least once a month, maybe even once a week, you are prompted to update a piece of software on your device. More often than not, these updates, or fixes / service packs / patches as they are called, are intended to correct software vulnerabilities. Software vulnerabilities can be dangerous because they frequently give cyber criminals a back door to your device. They are often easy for hackers to find, and easy to exploit giving enabling them to infect or compromise your computer with no action on your part other than viewing a video or listening to recorded media on a website, in an email message, or through an instant message. Their purpose is to steal private data, infiltrate websites or take over / prevent that software from working altogether.
Software vulnerabilities are security flaws, or weakness in software – including operating systems that, if discovered, provide an entry point for cyber-thieves. Vulnerabilities are found in all software, such as web browsers, email programs, image viewers, instant messaging applications, and operating system… and are not limited to any particular vendor. According to the National Vulnerability Database, Adobe software products have generate over 146 vulnerabilities, Microsoft 324, Apple 362, IBM 373, in 2013 to date: http://web.nvd.nist.gov/view/vuln/statistics.
Cyber criminals tend to have “favorite” vulnerabilities that allow them to go unnoticed by users and leave no trace of their work. They use, sell and share them broadly. CWE (Common Weakness Enumeration), an organization dedicated to generating awareness of software security vulnerabilities, in collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe published a list of the top 25 most dangerous software errors – http://cwe.mitre.org/top25/)
At the top of the list are web-targeted exploits:
- SQL injection
- Cross site scripting (XSS)
- URL redirection to untrusted sites
Your computer may be working perfectly today, making you wonder why you should apply patches. A number of vendors / software, Google Chrome and Adobe Flash, apply patches automatically, invisible to users, while others require some level of interaction with the user, such as a click of approval to install the update. Some patches may contain bug-fixes and others, incremental features, many are intended to protect you – the user. By not applying a patch you might be leaving the door open to cybercriminals looking for an easy point of entry.
Software vendors are aware of these security vulnerabilities and regularly release security updates to address them. In fact, most applications provide a feature that provides automatic updates. However, in a study conducted by online communications giant – Skype, it was revealed that 40% of American, German, and British users don’t immediately apply these security updates when prompted.
In another recent study by the CSIS Security Group a|s concluded that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating key software packages. A problem most likely caused by the 66% of users they discovered, who do not regularly update these apps.
This same study exposed that 37% of users still browse the web with unsecure Java versions. A risk the U.S. Department of Homeland Security takes very seriously – urging the hundreds of millions of consumer and business users to disable Oracle Corp’s Java software in a posting on its website.
Without adequate attention, systems with outdated security patches are quick targets for attacks that exploit software vulnerabilities. A successful exploit can lead to many outcomes: loss of private data (including access credentials), identity theft, remote access / control of your device, breaches in customer privacy to name a few.
After reading this blog – take a few minutes to turn on automatic software updates in any / all applications installed on your device(s). Most updates require little interaction with the user, just a click to start the process, and, the most painful, a restart when completed. Staying on top of the latest security patches could be a matter of survival for your business – with 60% of businesses closing within 6 months of a data breach.
As always, avoid visiting or clicking links to unknown or suspicious sites and refrain from opening email from unknown senders.
To learn more about how McAfee can help protect you from these attacks please visit: http://www.mcafee.com/us/business-home.aspx