7. OS and Program Updates
My focus here will be on Windows updates as this affects the majority of HASA visitors. Everything I say about updates, however, will hold true for non-Windows systems as well. Keeping your system updated is comparable to having maintenance work done on a vehicle. You need to make sure the parts are not worn out or exposing you to unexpected hazards.
As mentioned in "How Do Exploits Happen?" most malware exploits can be blocked simply by keeping your software up to date with the latest security patches. First you need to patch your OS, and then you need to update your software.
As with anything touching on Microsoft, there is a significant amount of FUD (fear, uncertainty, doubt) surrounding this update system. Microsoft critics claim that it is used to put spyware on the machine, Microsoft installs malware to purposefully break your stuff and force you to buy new software, their software is crappy and they have to run the updates to fix all the bugs, and similar kinds of arguments. Here is what I know:
- I participate in security testing for a major IT firm. We analyze all traffic in and out of our customer's networks. We have never found evidence of any spyware or malware from Microsoft. We can't say the same for other major software manufacturers.
- Microsoft does aggressively use Genuine Software Validation tests to make sure your software is licensed. If you have unlicensed Windows software on your machine and it won't allow you to update, you have two options. If the block is due to a false positive (your software is licensed but the test says it isn't) call Microsoft and say so. They will help you get the test working correctly. If your software is not valid (for example, if a software vendor sold you pirated software), you will need to purchase a valid software license. All security updates will download and install regardless of the condition of your license.
- All software has bugs and security vulnerabilities. Some vulnerabilities have few consequences. Others can be devastating. Something that could not be hacked a month ago may be hackable today because a clever programmer figured out a new exploit. No matter what product you choose to use, you had better be updating it.
OK, now that we've dispensed with the FUD factor, to protect your machine you need to configure Windows Update to run automatically. Here are the links:
- Turn on updates for XP: http://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsxp.mspx
- Turn on updates for Vista:
- Turn on updates for Win7:
Microsoft has a standard schedule of pushing out major updates the second Tuesday of every month (this is why HASA goes offline for a few minutes that day, to apply patches), plus extra critical updates, called "out of band updates", if a critical security patch needs to be pushed out early. If you set your system on automatic updates, you will get all of them.
Ang's Personal Opinion: I set Microsoft updates to download and notify me when updates are available, but not to install them until I review and approve them. For me, this is a good balance between the convenience of automatic updates and control over changes made to my machine. My Win7 system complains to me that I should let it install the updates automatically, but I ignore it. End opinion.
Other OS Updates
- Apple has updates for Macs that are comparable to Microsoft's updates for Windows. Use them. It's a good thing.
- Updates for Linux will depend on the distro you are using. Updates will probably be manual. Research what you need to do to keep your system updated.
This is more than just updates to your operating system. If you run an Office suite or some Office products (and most of you do), those products will also be updated for security with these patches. This is a good thing because one of the largest attack points for malware is versions of Word and Excel that are out of date. You do not necessarily need to upgrade to a new product, but you must update and patch your existing software.
While most Microsoft products will get patched with the Microsoft Update, you should look at the other programs you use and investigate which ones have some kind of automatic update feature. If it has that feature, turn it on. We'll go over Adobe Acrobat Reader, Adobe Flash Player and Firefox in later chapters, but check your mail programs, graphics programs, games, and utilities as well. They may be targeted by hackers, too.
It is a good habit to get into to set a day each month to check for updates on any program you regularly use and can't be set up for automatic updates. Just put a reminder into a calendar and follow through.
Now that you've cleaned up your system, it's time to put up walls to defend it, starting with a firewall.