Threat report conclusion: Patch now!

h2_2012_infographic#1544C6EOur Threat report for H2 2012 is now available. Read it if you want to know what’s going on and what the threat landscape is looking like. It is interesting reading, highly recommended! If you are in a hurry and want to save the reading for later, there’s still one point that affects most users and deserves immediate attention. Vulnerabilities and patching.

One of the major trends is no doubt the increasing importance of exploits and vulnerabilities. And you have probably already heard the nagging about how important it is to patch your system. That IS good advice and our threat report shows how it is getting even more important. But I don’t want to just repeat the nagging. I want to take the opportunity to dig a bit deeper into this issue and explain what it is all about.

There are basically two ways to get malware into your computer; to trick you to install it and to utilize a vulnerability. All software in your computer is written by humans, and as we know, “mistake” is our human race’s middle name. Mistakes in computer programs are called bugs and a vulnerability is a special type of bug. Many bugs just affect the functionality of the program. Something may not work or work in an unexpected way. Applications are supposed to handle errors in a graceful way. But they may encounter erroneous data that the programmer didn’t anticipate. The application wreaks havoc and starts behaving in an unplanned way, and this may breach security. If this can happen, then there’s a vulnerability in the system.

An exploit is data that is carefully crafted by a hacker. Its purpose is to create an error that is no accident . What happens after the error is not chaotic after all; it is orchestrated by the hacker. He has at this point gained unauthorized control and the next task is to make sure that some malware is installed permanently on the system. The attacker has successfully exploited a vulnerability.

This may happen by just visiting a web page. The web page is a document that is rendered by your browser. If your browser has a vulnerability and you visit the wrong page you may be victim of a so called drive-by download. You surf the page comfortably unaware of the fact that a program silently is installed on your computer. And that’s not a friendly program!

But I have bought an antivirus program for good money. Doesn’t that protect me? Yes, that’s good. But we still recommend that you pay attention to patches as well. Your security product will detect and block malware that is about to execute. It will monitor your file transfers over the net and block harmful content. It will even check what sites you surf and warn when entering hostile territory. And if all that fails, executing programs are watched for suspicious behavior. But all this is a cat and mouse game. The bad guys come up with new clever tricks to circumvent all these layers and the security researchers upgrade the product to cope with them. If you are unlucky you can hit malware that your product can’t cope with yet. Remember that no product will ever give you 100% protection no matter what the sleek marketoids are claiming! But you are still fine if you have patched the vulnerability that the bad guys try to exploit. The malware has to go through that bottleneck so why not plug the hole? It can’t be done by your security vendor; it must be done by the vendor of the affected software. Your security suite can just build layers of security around the hole, but not correct errors in other products.

OK, I’m convinced. I want to start patching my system now. But how? One problem is that you probably have software from several vendors on your system. They all have to produce patches for their own product and there is no single outlet that would provide patches for all vendors. That’s one of the reasons why we have made F-Secure Safe Check . This free tool checks the security of your system from several different angles; your patching status is one of them. And you will get instructions about how to patch if that is needed. Why not run it right away!


PS. Some definitions: (Source: Wikipedia)

“In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance.”

“An exploit (from the verb to exploit, in the meaning of using something to one’s own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic (usually computerised).”

A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.”

More posts from this topic


Cyber Monday Mythbusting

It's Cyber Monday, and marketing companies expect online shoppers to flock to websites and apps in order to take advantage of holiday sales. And naturally, this causes concerns about what kind of risks people are taking when they shop online. But F-Secure Security Advisor Sean Sullivan says any security warnings focusing on Cyber Monday are simply part of the hype. “Cyber Monday is no more or less safe than any other day of the year. People just expose themselves to more online threats when they do more stuff online, but that really has nothing to do with Cyber Monday. And people that tell you otherwise aren’t doing you any favors.” So there you have it. On the other hand, Sullivan does point out that holiday shoppers should beware of the extent to which they expose themselves while online shopping, which is becoming more popular during the holidays. Adobe is projecting an eleven percent increase in online spending during the holidays this year, amounting to a whopping 83 billion dollars. So that’s 83 billion dollars that will be up for grabs (compared to just 3 billion on Cyber Monday), so it’s naïve to think that criminals are just going to ignore the opportunity. Last year, F-Secure Labs registered a sharp increase in ransomware detections during November and December, including a 300 percent increase in the Browlock police-themed ransomware family. Sullivan published a recent blog post examining the Crytowall ransomware family, which he says is prevalent during the holiday season but virtually disappears in early January – when people celebrating Orthodox Christmas in Russia begin their holidays. One easy way to protect yourself from ransomware and other online threats while holiday shopping is to be conscious of the threat landscape. Its trends like these that Sullivan pays attention to, and warns others to do the same. “It would be safe to say that people should be worried about ransomware this holiday season, and probably through next year. I expect that we, or at least security researchers, will look back on 2016 as the year of extortion.” For example, even though mobile device are now widespread and used by many people, they’re not necessarily good tools to use for making financial transactions while online shopping. “I use an iPad running Freedome for the vast majority of my online browsing, which works great for me because it’s easy to use and I can bring it with me if I leave the house. And between the security benefits of a VPN and the relatively small amount of malware targeting iOS devices, I feel pretty confident in using it to casually window shop on different websites. But I always use a PC to make actual purchases. I trust that my PC is secure and the actual keyboard makes it easier to enter financial data.” You can find more great advice on how to stay safe while online shopping here. [Image by Atomic Taco | Flickr]

November 30, 2015

F-Secure Bringing a totally new Future for the Internet to SLUSH 2015

#SLUSH15 is almost here, and F-Secure’s participating in this year’s event in a big way. There’s going to be a big #smartsecurity announcement about the Internet of Things, as well as a couple of presentations from F-Secure personnel. SLUSH, a well-known exposition for startups in the tech industry, has become a huge international event. Both SLUSH and F-Secure call Helsinki home, so it’s only natural for F-Secure to be an active participant at the annual conference. F-Secure made waves last year after the cybersecurity company hacked the venue’s bathrooms to get people talking about online privacy. Several of the company’s researchers and personnel also put in appearances at last year’s SLUSH, including cyber security expert Mikko Hypponen, and F-Secure’s Executive Vice President, Consumer Security, Samu Konttinen. [youtube] [youtube] And they’re both back this year! This year, Samu will be giving a keynote address on SLUSH’s Silver Stage. His talk is called “Your home, your rules – The internet of what ifs”, and runs from 11:45am to 12:00pm (Helsinki time) on November 11th. Samu’s enthusiasm for topics related to security and online privacy will give people valuable insights into how IoT devices are creating new security challenges, and what people can do to protect themselves. Mikko will be appearing on SLUSH’s Black Stage at 9:25am (Helsinki time) on November 12th, where he’ll deliver a talk called “The Online Arms Race”. Mikko recently did an interview about this same topic for, so you can check that out if you want a quick preview about Mikko’s thoughts on this matter. You can follow all of F-Secure’s SLUSH news by following @FSecure_Sense, @FSecure_IoT, and @FSecure on Twitter.

November 10, 2015