The Importance of Security Updates

A friend recently asserted that he doesn't bother with security updates on his computer and for his software. This is wrong. Security updates are important and should always be installed.

This sort of thing will happen to you if you don't update your computer. (Not that this attack was directly related to lack of updates, but the principle is the same..) To which he replied:

I don't believe that updates play that much a roll. So i wont update my OS X to 10.7 (I use 10.6) because I think my machine won't be able to handle it.

It's important to differentiate between upgrades and security updates. Upgrades are e.g. from 10.6 to 10.7, which give you new features etc., but each version of OS has its own security updates (e.g. security updates are produced for 10.6). The only time when you need to upgrade for security reasons, is when the OS you're using is so old it no longer gets security updates (e.g. Apple don't produce security fixes for 10.4 any more).

Security updates are important because, if a researcher finds a security hole, they'll inform the OS or software vendor (e.g. Apple for OS X), but not yet the rest of the world. Apple will fix it and produce a security update. After everyone has the security update, the researcher announces it to the world. From this moment on, hackers and virus writers have access to the information and can incorporate this information into their viruses. If you are running a system without security updates, the virus can infect your system.

Once a virus is on your system, it can record your keystrokes, see everything you're submitting to the internet (e.g. email username/password), can alter webpages that you see (e.g. when you click "login" the information is submitted to their servers, not to the website you want), and so on. With this information attackers can slowly take over your identity, use your money, delete your data, and so on.

Not only operating systems need to be updated, also browsers, and all other software.

There are also "zero day attacks", where a security researcher releases the information about a security hole immediately (after "zero days"), or where a hacker themselves find a security hole. There's not much you can do about them, just install the updates as soon as they're available, but there's still a window between when the virus is out there and when your system is no longer vulnerable, when you can be attacked. But even then, better make this window as small as possible by installing the update as soon as it's available.

This article is © Adrian Smith.
It was originally published on 9 Dec 2012
More on: Operations & Servers | Security | Operating Systems