A-to-Z Index

Computing Homepage

Information Technology Help Desk

Operational Hours and Exceptions

Security Defects

The Importance of Security Updates

Security defects in the software products we use every day are found constantly. If not repaired, the defects allow criminals to take control of our computers as we visit web sites, view images, open documents, and/or even just sit on the network. Even if you do everything else right, these defects can allow criminals into your computer. Obviously its important that updates to fix these defects be applied frequently and regularly.

Unfortunately, due to the frequency of defect discovery (at least monthly!) and the number of different vendors that are represented on our computers, this is not an easy task. Mainstream platform vendors (e.g. Microsoft and Windows, Apple and Macintosh, RedHat and linux) have mature automated notification and installation mechanisms you can set up using StartSafe instructions that mostly take care of the baseline computer for you. But when you start adding products - Document readers like Adobe Reader, media players, browser add-ons, and other programs - things get a lot trickier. Moreover, those products are the most likely to be attacked these days.

A few of the products will help you by checking for available updates and notifying you when they're available. Unfortunately, most do not and many products for the Windows platform won't do so if the computer is operated with the recommended safer user account. None of the common products will update themselves automatically. You'll have to initiate and complete the update process yourself which may or may not be easy.

JMU owned Windows computers managed by IT have the most common third party updates applied to them automatically in addition to the Microsoft updates. Similar services are being considered for JMU owned Macintosh computers but there are no firm plans yet.

Operators of student and home computers (and JMU owned computers not joined to the IT domain or managed by IT) and people operating managed computers that install their own software unfortunately have to keep up with the problem manually. A task that is taking more and more time and becoming more and more important on a weekly basis.

A company that makes a product that can help with this task and that has had favorable reviews is Secunia. They offer a web based service you can visit with a browser that will check your computer for needed updates for a few dozen of the most popular programs. If you want, they will email you reminders on a periodic basis to rescan your computer. They also offer a program that can be downloaded and installed on home computers that can check for updates for thousands of programs. The latter program's license, however, only allows it to be used on home computers. It is illegal to install on JMU owned computers. As always when using a web service that requires downloading software, the terms and conditions and privacy policies should be examined.

You can look up security defects and vulnerabilities for any product manually at the SecurityFocus web site. There is also a list of common vendor security resources on the RUNSAFE site.

Update sites for a few of the most common products are listed below:

  • Microsoft (if you want to be sent an email message when new updates are available, subscribe here)
  • Apple (if you want to be sent an email message when new updates are available, subscribe here)
  • RedHat Linux (if you want to be sent an email message when new updates are available, subscribe here)
  • Mozilla (Firefox, Thunderbird, SeaMonkey) (if you want to be sent an email message when new updates are available, subscribe here)
  • Adobe (check for installed version and get latest available version of Reader, Flash, Shockwave, and AIR here)
  • Java (check for installed version and get latest available here)

Security defects without a fix

Sometimes security defects are discovered and made known to the public before a security patch is available. Sometimes these defects are even discovered and exploited by criminals before anyone knows there is a problem. Depending upon the product and defect, simply clicking a link or opening an associated document could result in a compromise. These types of defects are becoming more and more common, particularly in third party products.

Risk reduction measures include:

  • Avoidance of unnecessary software is the first line of defense. It cannot be exploited if it is not installed.
  • Operate the computer using a least privilege user account. ( low operational impact once environment is learned )
  • Disable browser scripting functionality. This can adversely impact operations but impact decreases as one becomes accustomed to the environment. It is much easier to operate in this environment using Firefox and the Noscript add-on than it is if you use Internet Explorer.
  • Avoidance of unsolicited e-mail links, documents, and web sites is the most generic operational risk reduction measure.
  • A combination of measures is the most effective (defense in depth).

More generic risk reduction measures can be found on the StartSafe pages.