Everyday Security in an Online World

Update Your Software

It is difficult for software developers to predict every possible way in which every function of their product might be used. When an application encounters an unanticipated situation, it may behave unexpectedly, or crash and need opening afresh. The app is said to have a bug. Most software contains bugs, which is why we are so familiar with the idea of restarting the computer when things go wrong.

At the same time, we all wish our devices were easier to use or capable of more things. As the world around us changes, so do our requirements. Additionally, software companies are invariably keen to release new products to maintain a revenue stream and stay relevant in a competitive industry. To meet these demands, software is always evolving, and the Internet has made it easy for developers to issue updates to customers quickly. But for all the good it can bring, this unending change also creates a continuous supply of new bugs.

Developers test their software throughout its production, trying to find bugs in order to eliminate them. But the biggest test is when the product is released and subjected to real-world use by millions of people.

Vulnerabilities and exploits

Sometimes the consequences of a bug are more serious than unexpected behaviour or crashes. Certain bugs create a condition in which a third party can hijack the operation of the app for their own purposes. Such a bug is called a vulnerability.

Computer code written specially to take advantage of a vulnerability is called an exploit. Deploying exploits against other people’s devices is illegal in most countries, but common nonetheless, and made easier because the Internet knows no geographic boundaries. People do it to steal information, destroy data, commit fraud, attack other systems, make ideological statements, and more.

In the worst cases, vulnerable software can be exploited with little or no interaction by the person using the device. You might simply visit a website and find your device infected or your data destroyed.

Of course, you could be careful to only visit websites you trust. But even well-known sites have been known to be temporarily hijacked and used to cause harm.

Also, many otherwise healthy websites include advertising served by third parties. There are numerous examples of online advertising space being abused to exploit vulnerable apps and deliver malicious software. There’s even a name for it: malvertising.

As if that isn’t enough, there have occasionally been vulnerabilities in smartphones where simply receiving a specially-crafted text message can breach the phone’s security and lead to the owner’s private information being extracted. When you consider that anyone in the world can text anyone else – perhaps just trying thousands of random phone numbers – you realise how severe such a vulnerability is, because no amount of ‘being careful’ can reduce the likelihood of you being a victim.

Disclosure and patching

People with the necessary time and skill, from many walks of life, seek out vulnerabilities in software. Some are employed by companies, some are self-employed, and some pursue their research as a hobby. If they find a vulnerability they report it to the developer, typically agreeing to keep the discovery private while the developer works to fix it. This is known as responsible disclosure, and researchers may receive money in return.

The developer then releases a patch to fix the bug, or an updated version of the software with the bug removed. This makes the software immune to attempts to exploit it that way.

So, in the dark cloud of bugs caused by software’s unending evolution, the silver lining is that this very same process can be used to fix bugs — and to deliver those fixes to customers.

Zero-day vulnerabilities

Unlike a well-intentioned researcher, a nefarious individual discovering a vulnerability may take advantage of it themselves, or sell details on a kind of black market. Consequently, the first a company may hear of a vulnerability in its software is when it is seen being exploited in the wild. This is particularly dangerous because no patch is yet available; we call it a zero-day vulnerability.

It is rumoured that governments are some of the highest bidders for knowledge of zero-day vulnerabilities, for potential use against other nation states in cyber warfare.

Obsolescence

Developing patches is expensive. Testing must be done, too, to check that fixing one bug hasn’t introduced another. So, after a while, software companies will stop ‘supporting’ older products with updates in order to focus on their newer ones.

Additionally, newer software may require more computing resources or particular hardware, so some updates are available only for more recent or more highly-specified devices.

If you’re using an old version of an app that is unsupported – or if your device is too old or not powerful enough for an update – you are left with reduced security. For this reason you may sometimes be advised to replace an ageing computer, tablet or smartphone even though it isn’t broken.

What you can do

If you found this useful, you can support my work by buying me a coffee or ordering a paperback or Kindle copy of the book.