Now that the first victims of the Heartbleed web vulnerability…
Threat report conclusion: Patch now!
One of the major trends is no doubt the increasing importance of exploits and vulnerabilities. And you have probably already heard the nagging about how important it is to patch your system. That IS good advice and our threat report shows how it is getting even more important. But I don’t want to just repeat the nagging. I want to take the opportunity to dig a bit deeper into this issue and explain what it is all about.
There are basically two ways to get malware into your computer; to trick you to install it and to utilize a vulnerability. All software in your computer is written by humans, and as we know, “mistake” is our human race’s middle name. Mistakes in computer programs are called bugs and a vulnerability is a special type of bug. Many bugs just affect the functionality of the program. Something may not work or work in an unexpected way. Applications are supposed to handle errors in a graceful way. But they may encounter erroneous data that the programmer didn’t anticipate. The application wreaks havoc and starts behaving in an unplanned way, and this may breach security. If this can happen, then there’s a vulnerability in the system.
An exploit is data that is carefully crafted by a hacker. Its purpose is to create an error that is no accident . What happens after the error is not chaotic after all; it is orchestrated by the hacker. He has at this point gained unauthorized control and the next task is to make sure that some malware is installed permanently on the system. The attacker has successfully exploited a vulnerability.
This may happen by just visiting a web page. The web page is a document that is rendered by your browser. If your browser has a vulnerability and you visit the wrong page you may be victim of a so called drive-by download. You surf the page comfortably unaware of the fact that a program silently is installed on your computer. And that’s not a friendly program!
But I have bought an antivirus program for good money. Doesn’t that protect me? Yes, that’s good. But we still recommend that you pay attention to patches as well. Your security product will detect and block malware that is about to execute. It will monitor your file transfers over the net and block harmful content. It will even check what sites you surf and warn when entering hostile territory. And if all that fails, executing programs are watched for suspicious behavior. But all this is a cat and mouse game. The bad guys come up with new clever tricks to circumvent all these layers and the security researchers upgrade the product to cope with them. If you are unlucky you can hit malware that your product can’t cope with yet. Remember that no product will ever give you 100% protection no matter what the sleek marketoids are claiming! But you are still fine if you have patched the vulnerability that the bad guys try to exploit. The malware has to go through that bottleneck so why not plug the hole? It can’t be done by your security vendor; it must be done by the vendor of the affected software. Your security suite can just build layers of security around the hole, but not correct errors in other products.
OK, I’m convinced. I want to start patching my system now. But how? One problem is that you probably have software from several vendors on your system. They all have to produce patches for their own product and there is no single outlet that would provide patches for all vendors. That’s one of the reasons why we have made F-Secure Safe Check . This free tool checks the security of your system from several different angles; your patching status is one of them. And you will get instructions about how to patch if that is needed. Why not run it right away!
PS. Some definitions: (Source: Wikipedia)
“In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance.”
“An exploit (from the verb to exploit, in the meaning of using something to one’s own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic (usually computerised).”
“A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.”