October 29, 2019

Why you should keep your software up to date

Why you should keep your software up to date

Out of date or not regularly updated operating systems and applications put you at risk because they have a lot of vulnerabilities. Many of these vulnerabilities can be easily detected and exploited by criminals. And when they do so it can have really damaging consequences.

What's the actual risk if you don't update?

Well, this for instance:

Hopefully you haven't seen this or a similar pop-up before. This is Wannacry ransomware that's asking the owners of infected computers an amount of money to get their files back. Wannacry was first spread in a worldwide attack in May 2017 in which more than 200,000 computers across 150 countries got infected.

If you want to know in detail why this could happen read this article. But the very short explanation is because of an unpatched vulnerability on a lot of Windows machines. Microsoft had released updates containing a fix for this particular vulnerability in March 14, 2017, two months before the ransomware broke out, but still the impact was massive.

It was remarkable that almost all WannaCry victims were running Windows 7. Almost no Windows 10 users were affected because they had the necessary updates installed via automatic updates.

The wannacry infections didn't stop in 2017. In the two years after the worldwide attack there have been more than 4.8 million WannaCry detections. And only 5 months ago there were still between 500,000 to 1 million computers on the internet that still haven't installed the necessary updates and thus are vulnerable to Wannacry and every other attack that uses the same underlying vulnerability.

Why you need automatic updates

People that don't have automatic updates enabled very likely won't install them at all. The reason is that most people don't understand the security risks of not installing updates.

This is exactly what we saw with WannaCry. The most affected systems were running Windows 7 which doesn't have automatic updating enabled by default. From Windows 10 on Microsoft enabled automatic updating by default to make sure that also less security aware users get the necessary updates.

Automatic updates are available for most operating systems but sometimes you have to enable them, for instance for iOS. I really encourage you to do so.

In any case DONT disable automatic updates. Online you can find a lot of articles that recommend people to disable them. The narrative is always the same: because updates can break functionality or worst case can even force you to do a complete reinstall of your system.

Wannacry is just one of the examples that shows the benefits of automatic updates. It proves that updating doesn't happen (on time) when it's not automated. Personally I never had a bad experience with updating. But there are cases known where certain functionality or even the entire device didn't work anymore after an update, but this is rather exceptional. And if you make sure that you have working backups you will always be in a position that you can recover.

Update your applications

Until now I only talked about updating of operating systems, but the same applies for the applications your run on your devices. Keep them up to date!

To give you an idea how many bugs are found in applications have a look at this site that lists so called CVEs (Common Vulnerabilities and Exposures).

Like you can see there are at the moment more than 125,000 security vulnerabilities in this database. In the below sceenshot you can see that for Adobe only there are 3452 vulnerabilities found.

Most of them will have updates available. Keep in mind that a lot of these vulnerabilities can be exploited by criminals if you don't install the latest updates.

Upgrade or move to a new version before software runs out of support

When software is no longer supported by the vendor you might get in trouble.

Let's take Windows 7 - which will be no longer supported by Microsoft in a few months - as an example.

This is what Microsoft itself says about it.

"The specific end of support day for Windows 7 will be January 14, 2020. After that, technical assistance and software updates from Windows Update that help protect your PC will no longer be available for the product. Microsoft strongly recommends that you move to Windows 10 sometime before January 2020 to avoid a situation where you need service or support that is no longer available."

In September 2019, less than 4 months before Windows 7 runs out of support, it's still installed on almost 30% of all windows computers worldwide.

29.39% of Windows users worldwide still use Windows 7

Knowing that the operating system market share of Windows is 35.32% this means that Windows 7 accounts for 10,38% of all operating systems worldwide at the moment.

Windows has a 35.32% market share worldwide

I can only reiterate what Microsoft says, move to Windows 10 before January 14, 2020.

For mobile devices it's equally important to understand how long they will be supported and thus receive updates. If you want to know more about it please read this post.

Updating is no silver bullet

Keeping your software up to date is very important to reduce risk.  But you should understand that there always will be security holes vendors aren't aware of yet and that are already being actively exploited by criminals. Or in some cases vendors just don't release patches for known security issues. That's why you can't rely on updates only but should apply the different security best practices we've seen throughout this series.

Conclusion

Update regularly and make sure the update process is automated. It's equally important to upgrade your software (or install a new version) on time to keep receiving updates that contain necessary security fixes.  

That's it for today. Tomorrow i'll be back for the second to last post in this security awareness series. In the meantime stay safe online!