Everyday Security in an Online World

Update Your Software

Bugs

It’s difficult for software developers to predict every possible way in which every function of their product might be used. When an application encounters an unanticipated situation, it may behave strangely, or crash and need opening afresh. The app is said to have a bug. Most software contains bugs, which is why we’re so familiar with the idea of restarting the computer when things go wrong.

At the same time, we often wish our devices were easier to use or more capable. As the world around us changes, so do our computing needs. Additionally, software companies are invariably keen to release new products to stay profitable and relevant in a competitive industry. To meet these demands, software is always evolving, and the Internet has made it easy for developers to issue updates quickly. But for all the good it can bring, this unending change also creates a continuous supply of new bugs.

Developers test their software throughout its production, trying to find bugs in order to eliminate them. But the biggest test is when the product is released and subjected to real-world use by millions of people.

Vulnerabilities and exploits

Sometimes the consequences of a bug are more serious than strange behaviour or crashes. A bug may create a condition in which a third party could hijack the operation of the app for their own purposes. Such a bug is called a vulnerability.

Computer code written specially to take advantage of a vulnerability is called an exploit. Deploying exploits against other people’s devices is illegal in most countries, but common nonetheless, and made easier because the Internet knows no geographic boundaries. People do it to steal information, destroy data, commit fraud, attack other systems, make ideological statements, and more.

In the worst cases, vulnerable software can be exploited with very little interaction by the user. In other words, you might not need to be tricked into downloading or agreeing to anything. You might simply visit a website and find your computer infected or your data destroyed.

Of course, you could be careful to only visit websites you trust. But even well-known sites have been known to be hijacked and used to cause harm.

Also, many otherwise healthy websites include advertising served by third parties. There are numerous examples of online advertising space being abused to exploit vulnerable apps and deliver malicious software. There’s even a name for it: malvertising.

And as if that isn’t enough, there have occasionally been vulnerabilities where – for example – simply receiving a specially crafted message can breach a phone’s security and lead to private information being extracted. That is, without even opening the message! When you consider that your phone could receive an unsolicited message from anyone in the world, you realise how severe such a vulnerability is: no amount of ‘being careful’ can reduce your chance of becoming a victim.

Disclosure and patching

People with the necessary time and skill, from many walks of life, seek out vulnerabilities in software. Some of these security researchers are employed by companies, some are self-employed, and some pursue it as a hobby.

When a security researcher finds a vulnerability, they report it to the software developer, often with a proof of concept showing how it can be exploited. They agree a timeframe in which they’ll keep the details private while the developer works to fix it. This is known as responsible disclosure, and the researcher may receive payment called a bug bounty in return.

The developer then releases a patch: an updated version of the software with the bug removed, making it immune to attempts to exploit it that way.

Updates

You must install the updated software to gain this protection. Some updates install entirely automatically, while others require your input — for example to enter your password or PIN, agree to legal terms, or restart the device.

The developer will likely have published a summary of what was fixed, in the interests of transparency and to help organisational IT departments prioritise their work. Unfortunately, this also gives a hint to people with criminal intent to examine the patch and try to work out what was previously exploitable. Their goal is to attack devices that haven’t been updated, but the work takes time.

So, the sooner you update, the better. The ideal situation is that everyone is already running the new, fixed version by the time any bad actors work out how to attack the old version.

Zero-day vulnerabilities

Unlike a well-intentioned researcher, a nefarious individual discovering a vulnerability may take advantage of it themselves, or sell details on a kind of black market. Consequently, the first a company may hear of a vulnerability in its software is when it’s seen being exploited in the wild. This is particularly dangerous because no patch is yet available; we call it a zero-day vulnerability.

It’s rumoured that governments are some of the highest bidders for knowledge of zero-day vulnerabilities, for potential use against other nation states in cyber warfare.

Obsolescence

Developing patches is expensive. Testing must be done, too, to check that fixing one bug hasn’t introduced another. So, after a while, software companies will stop updating older products in order to focus on their newer ones.

Newer software may require more computing resources or particular hardware, so some updates are available only for more recent or more highly-specified devices.

If you’re using an old version of an app that is unsupported – or if your device is too old or not powerful enough to run a current operating system – you’re left with reduced security. For this reason you may sometimes be advised to replace an ageing computer, tablet or phone even though it isn’t broken.

What you can do

If you found this useful, you can support my work by buying me a coffee.