As of this past week (by early June), Microsoft had already released 931 security updates in 2017 alone. Those apply to a range of different Microsoft products, but it shows how many issues need to be addressed on a regular basis.
These figures don’t include updates from all the other software companies or manufacturers for devices for your computer, like the other programs you use, or the software (“drivers”) needed to run the printers, scanners, keyboards, mice and the components that make video and sound work on your computer.
Some of the updates that are released aren’t relevant to your computer directly. Some may apply to software you don’t have on your computer. Many affect servers that larger companies use. But many do apply to you. And, if you use the Internet, or do business with companies, any updates that should be applied to the companies’ computers become relevant if they don’t get installed and one of those companies gets hacked.
These security updates address vulnerabilities, or weaknesses in systems. A vulnerability isn’t a problem unless there is a way to take advantage of it (exploit it) to do something that shouldn’t be done. But, given time, someone will usually find some way to exploit a vulnerability if it is present. So, it is important to find a way to fix or patch these vulnerabilities. When a fix has been found, an update is released.
Keeping up with updating all these systems can be quite a daunting task, especially when some companies have thousands of computers that need to be updated. Even with the automated techniques to keep them updated, it is a major challenge.
Very often, when a computer gets hacked, it’s because someone takes advantage of a vulnerability for which a patch is available but, for some reason, nobody applied the patch. The recent “Wannacry” ransomware that spread throughout the world took advantage of an issue that had been patched a couple months earlier. But many people hadn’t applied the patch.
In a great many cases when computers are hacked, a patch that fixes the vulnerability has been available for years. But it wasn’t applied to the system that got hacked.
The obvious solution is to apply all the patches. But, as mentioned earlier, that is a daunting task for a company with thousands of computers. Just keeping up with which patches need to be applied to which systems can be challenging. If you are an individual, or run a small business, and are not technically-skilled, it can also be difficult. There are fewer patches that need to be applied to your computer, but it still is a challenge to discover what needs to be applied and, possibly, how to do it.
But, there is an even darker side to all this. Nearly a thousand Microsoft “patches” or “fixes” have been released this year and the year isn’t even half over. These patches are released because new issues have been discovered and fixed since the software was initially released. Let’s look a little closer at this process.
A security update is released to address a particular problem. That problem is generally something that wasn’t known when the software was initially released. Then, at some point, someone discovers an issue.
Once it is discovered and reported to the software company, the company has a chance to try to fix it. Sometimes, the software company ignores it. If they take the issue seriously, it takes some time to develop a fix. Then the fix has to be tested to make sure it resolves the issue and doesn’t break something else (hopefully). Then it finally gets released to the public.
So, there is a delay. The time from the discovery of an issue to the time a solution is made available might be minutes to hours, but it could easily be weeks or more, depending upon the issue.
Even then, once a fix is released, there is still the issue of getting the fix applied to people’s computers. Microsoft’s “Automatic Updates” apply the most critical fixes to recent Microsoft products automatically. But there are many other pieces of software on our computers that don’t update automatically.
What this means is that, once an issue is discovered, there is a delay before a “fix” is available and another delay before it gets applied to systems.
These problems that are getting fixed were all present in the software, some for extended periods of time, but they often weren’t known about until shortly before the patch was made available. Remember how many security updates are being released? A lot of those issues were present at the beginning of this year. But they hadn’t been discovered yet. Or, more accurately, the “good guys” hadn’t discovered them yet. (There is a host of security researchers out there that are looking for issues so that they can be fixed before the “bad guys” discover them and exploit them to hack into our computers.)
This means that there are numerous problems that the “good guys” don’t know about. Some of the time the “bad guys” find them first.
What happens if a bad guy discovers a problem first? If they are smart, they don’t tell anybody. They can try to find a way to exploit that problem and use it to their advantage. Then they can use it to gain control of computers or to steal information (or money), and they can keep doing it until the “good guys” discover that same problem and find a way to fix it.
That’s what is meant by a “zero-day exploit.” A zero-day exploit refers to a vulnerability that:
1) someone, possibly a bad guy, has discovered and
2) they have also discovered a way to take advantage of that vulnerability to do something harmful and
3) there isn’t a way to fix the vulnerability yet.
Consider the number of security fixes being released (thousands every year).
Realize that these fixes are being released to fix problems that existed before they were discovered.
Realize that there are numerous other problems that haven’t yet been discovered.
Now you can understand one of the reasons computers get hacked.
You should come to terms with the following:
The picture may look pretty hopeless at this point. But there’s hope. While we can’t protect against all the exploits (at least until they are discovered and a solution is provided) there are still some things that can be done.
In fact, in many of the cases where someone gets hacked, there is something they could have done.
This is based on two principles:
A) In many of the instances where hacks occur, the hacker takes advantage of vulnerabilities that have already been fixed. They have often been fixed for years. In the recent case of the “Wannacry” ransomware epidemic, the vulnerability had been fixed a couple months earlier.
B) There are sometimes measures that can prevent an exploit from reaching or running on your system. When that is the case, if you have those measures in place, the exploit won’t affect you.
Here’s what you can do:
1) Pay attention to any notices or alerts telling you that your system needs an update. Don’t ignore them. (Of course, knowing whether the notice of an update is valid or if it is some hacker’s attempt to get you to do something you shouldn’t is another issue. So you need to make sure any updates are “authentic.”)
2) Keep your software up-to-date. If a new version comes out, consider updating to the new version. If you are concerned about the new version being “buggy,” you could wait awhile to see if there is any feedback about problems with the new version. But don’t get too far behind in updating your software.
Updating your software includes the version of Windows (e.g., Windows 8 or Windows 10) or the version of Mac software that you run. It also includes updating your web browser, like FireFox, Safari, Chrome, etc. It includes any security programs. It also includes any other software that you might be using. If you are using software from security-conscious companies, they may have an e-mail notification list to notify you of important updates. Some of their e-mail notices may be for marketing purposes, but some may be important messages about security updates. You often get these when you register your software.)
3) When you have the opportunity, let companies that provide your computers and your software know that security matters to you.
4) Let other companies that you do business with know that security matters to you. (This includes retail stores in your community as well as online.) They are more likely to pay attention to the security of their systems if they know you may shop elsewhere if they don’t do a good job with security.
5) Consider reading the license agreement or EULA (end-user license agreement) before you install software. I usually do. Most people don’t. I realize that they are long and parts might be difficult to understand, but reading them can give you an idea of what to expect with the software. You might at least scan through the document to see if anything generates concern. Some software includes features that you may not like for privacy or security reasons. You may decide not to install the software because the agreement opens the door to unacceptable privacy risk.
(This also applies to vulnerabilities for which a fix has been found and released.)
6) In many cases, there are measures you can take that reduce the likelihood of becoming a victim. Let’s say a bad guy tries to use a zero-day exploit against you. There may be certain conditions that are required for that exploit to work. There may not be any way to stop the exploit from working if it reaches the vulnerable part of your system. But there may be a way to prevent that exploit from reaching the vulnerable part of your system. I talk about some of those measures in this blog. I will also be going into detail about some of them in upcoming “classes.”
Stay informed of good security practices and you may be able to escape becoming the victim in the majority of cases.