How software updates help keep you safe
Welcome to Threat Intel’s #WednesdayWisdom column, which aims to help improve your cybersecurity knowledge and keep you informed on important developments.
For most of us, updating software is a chore. You can bet that update reminders and restart requests will always arrive at the worst possible time, usually when you’re trying to get something important done.
It can mean that people will often put updates on the long finger, repeatedly dismissing reminders or clicking “Remind me Later”. There are even some who never update their software, unaware that updates will often contain patches for newly discovered vulnerabilities. Software vulnerabilities are one of the key tools for attackers attempting to compromise individuals and organizations. The more outdated the software a computer is running, the juicier a target it is for attackers.
The recent Petya and WannaCry ransomware outbreaks are classic cases in point. What made them dangerous was their ability to spread quickly. They both incorporated an exploit of a recently patched Windows vulnerability that effectively turned them into worms, allowing them to jump to other vulnerable computers, both across a network and across the internet. Approximately 300,000 computers were infected with WannaCry within the space of a few days. What every infected computer had in common was that it hadn’t been updated.
Microsoft issued at security update on March 14, 2017, that patched the vulnerability. The version of WannaCry that incorporated an exploit of the vulnerability appeared almost two months later on May 12. Had more of these computers been updated sooner, WannaCry wouldn’t have been nearly as effective. However, as the Petya outbreak, which began on June 27, has shown, in some cases even a high-profile incident like WannaCry isn’t enough to inspire individuals to update their systems.
While Petya and WannaCry are high-profile recent examples, they are just two threats among many that target individuals and organizations that, for one reason or another, haven’t updated their software.
What’s a vulnerability and why should I care about them?
In a nutshell, a vulnerability is a flaw in a piece of software that allows an attacker to use it to do something it wasn’t intended to do. That could be anything from creating a denial-of-service condition or making the computer unresponsive, to granting the attacker administrative privileges.
“A vulnerability is a flaw in a piece of software that allows an attacker to use it to do something it wasn’t intended to do”
Some vulnerabilities require local access, i.e. the attacker needs access to the computer to exploit it. Far more dangerous are remote access vulnerabilities that allow an attacker to trigger an exploit across a network or the internet.
Generally speaking, remote code execution vulnerabilities are the ones that are most feared, since they permit a remote attacker to run code on a vulnerable computer. In most cases, “running code” means installing malware.
Exploit kits, a prime danger
One of the most common ways vulnerabilities are exploited is through exploit kits. An exploit kit is a tool that is installed on a malicious website and scans visiting computers for unpatched vulnerabilities. If it finds one, the exploit kit will then attempt to use it to install malware on the visitor’s computer.
Most exploit kits will incorporate a range of exploits in order to maximize the chances of infection. Exploit kits will usually scan visiting computers to learn what software they are running and use this information to identify the exploit most likely to work and then use it to deliver malware.
“An exploit kit is a tool that is installed on a malicious website and scans visiting computers for unpatched vulnerabilities”
Exploit kit authors usually continually update the list of exploits their kits will use. Older exploits will be phased out and replaced with ones exploiting more recently discovered vulnerabilities. The cyber criminals behind exploit kits generally don’t get involved in creating malware themselves. Instead they rent their services out to various malware authors who are looking for a distribution channel.
While exploit kits are some of the prime users of vulnerabilities, they aren’t the only ones. Some malware will have an exploit incorporated into it — usually permitting it to install or spread itself — WannaCry being a classic example.
Exploits are also a valuable tool for groups conducting targeted attacks and are frequently used to gain access to networks and escalate privileges to gain administrator access, which allows attackers to move from computer to computer across a network. The exploit used by Petya and WannaCry, known as Eternal Blue, was originally used by the Equation cyber espionage group and fell into attackers’ hands after it was leaked.
There are occasions when updating can be delayed for reasons other than laziness. For example, many organizations will often delay updating software until their IT department has had a chance to test the update. Why? In an environment where operations rely on multiple, complex software packages, sometimes fixing one thing can break another, and IT needs to check that any update doesn’t cause unexpected problems.
“The most effective kind of security is multi-layered, and regularly updated software represents one strong line of defense”
That doesn’t mean that an organization will be wide open to attack while waiting to apply updates. Security software (such as Symantec’s!) can detect and block attempts to exploit vulnerabilities. For example, the Intrusion Prevention System (IPS) in Symantec products will flag and block activity relating to a wide range of exploit kits, in addition to blocking attempts to exploit numerous individual vulnerabilities. In addition to this, our Memory Exploit Mitigation feature can preemptively block exploit techniques regardless of whether they are known or unknown, foiling attackers’ attempts to take advantage of zero-day (previously unknown) vulnerabilities. Free tools, such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), can also help harden software until it can be patched.
However, securing yourself against exploits doesn’t mean you can ignore patches. The most effective kind of security is multi-layered, and regularly updated software represents one strong line of defense.
What software is most at risk?
The perfect piece of software has yet to be written, and most packages require regular updates to fix newly discovered vulnerabilities. However, some software is more frequently targeted by malicious actors in search of vulnerabilities.
Every device has an operating system, so if you want a vulnerability that affects large numbers of people, an operating system bug is a good bet.
Windows is still by far the most widely used desktop operating system, so it’s not surprising that Windows vulnerabilities are popular among attackers. By attempting to exploit a Windows vulnerability, an attacker can hope to get the “best bang for their buck” and hit the largest number of potential victims.
However, Windows isn’t the only OS to be affected. Vulnerabilities are frequently found in Mac OS, the two main mobile operating systems — iOS and Android — and various flavors of Linux. Linux vulnerabilities can facilitate quite targeted exploits and may be used by attackers who are attempting to infect specific kinds of computers, such as web servers or Internet of Things (IoT) devices.
Browsers and browser plugins
Again, their sheer ubiquity, combined with the fact that users will naturally have a browser open if visiting a malicious website, means that browsers are another prime area of interest for attackers. In recent years, browser plugin vulnerabilities have been just as popular, partly because many plugins are cross-platform, meaning that an exploit will affect users of any browser using the plugin.
While widely used packages are the most frequently targeted by attackers, you shouldn’t ignore the other software you run. Even relatively niche packages can sometimes be targeted with exploits, particularly by attackers attempting to tailor an attack to certain types of targets. In short, a small bit of inconvenience when it comes to updating can help spare you a lot of trouble in the long run.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.