[this post is from Dennis Houseknecht, a Nerd in West Virginia)

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals.  Criminals and security researchers are constantly prodding and testing the code, looking for flaws that can allow a “computer hacker” to take control of a computer or steal valuable data.

When a flaw is discovered, the software vendor issues an “update” or a “patch” to fix the problem.  It is like a recall to replace a defective part for a car.  Failure to apply these updates leaves the system vulnerable to attack or to be compromised, as these cybercriminals use these same updates to reverse engineer ways to take advantage of these vulnerabilities.

Your organization may think “Why would they want to attack us?” We argue – why give them the opportunity, and put your organization at risk?

On rare occasions, an update will cause an unanticipated compatibility issue with a specific application, and the application vendor normally addresses the issue promptly.  The solution is NOT to stop updating the system indefinitely. This WILL leave the system vulnerable, making the entire network vulnerable if infected or attacked.  As a last resort, if  postponing updates is required, it should only be for as short of a time as possible, and the ideal approach would be to ensure that the system that is not updated is not used for other purposes (taken off the network) and not exposed to threats to which is may be vulnerable.

No application is permanently tied to an older version of JAVA, or any other application.  If a JAVA update does cause a problem, it is NOT wise to revert to an older and vulnerable version of JAVA. On very rare occasions, we have seen a situation where a JAVA update causes an application (typically one that is poorly written) to “break”.  In all such cases, the vendor responded by quickly updating THEIR software to be compatible with the new version of JAVA.

We do recognize that applying updates to systems that have not been properly maintained and updated properly may cause some frustrations, inconvenience, and perhaps even consternation, to users who were faced with changes in the “look and feel”, or a change in settings.  However, any problems beyond this are less related to the updates themselves, and more to the lack of proper maintenance or updates to the systems as a whole.

First, a couple from Micrsoft:

This one dates back no less than 17 years and is related to a virtualization technology that allows 16-bit applications to run on 32-bit Windows platforms (virtualization is NOT a new technology). 64-bit versions of Windows are only minimally affected, but 32-bit versions that have 16-bit execution enabled are vulnerable.

This vulnerability in IE is serious enough to prompt Micrsoft to issue an emergency patch today. Yes – that means it is serious.

If you are a Mac user feeling smug about those MS security woes, you should know that Apple has also issued a security update that addresses a dozen serious security issues as well.

More “stuff you should know” coming soon…..

Dennis H in West Virginia, US

January 21, 2010