Everyday Security in an Online World

Update Your Software

Bugs

It’s difficult for software developers to predict every possible way in which every function of their product might be used. When an application encounters an unanticipated situation, it may behave strangely, or crash and need opening afresh. The app is said to have a bug. Most software contains bugs, which is why we’re so familiar with the idea of restarting the computer when things go wrong.

At the same time, we often wish our devices were easier to use or more capable. As the world around us changes, so do our computing needs. Additionally, software companies are invariably keen to release new products to stay profitable and relevant in a competitive industry. To meet these demands, software is always evolving, and the Internet has made it easy for developers to issue updates quickly. But for all the good it can bring, this unending change also creates a continuous supply of new bugs.

Developers test their software throughout its production, trying to find bugs in order to eliminate them. But the biggest test is when the product is released and subjected to real-world use by millions of people.

Vulnerabilities and exploits

Sometimes the consequences of a bug are more serious than strange behaviour or crashes. Certain bugs create a condition in which a third party could hijack the operation of the app for their own purposes. Such a bug is called a vulnerability.

Computer code written specially to take advantage of a vulnerability is called an exploit. Deploying exploits against other people’s devices is illegal in most countries, but common nonetheless, and made easier because the Internet knows no geographic boundaries. People do it to steal information, destroy data, commit fraud, attack other systems, make ideological statements, and more.

In the worst cases, vulnerable software can be exploited with very little interaction by the user. In other words, you might not need to be tricked into downloading or agreeing to anything. You might simply visit a website and find your computer infected or your data destroyed.

Of course, you could be careful to only visit websites you trust. But even well-known sites have been known to be hijacked and used to cause harm.

Also, many otherwise healthy websites include advertising served by third parties. There are numerous examples of online advertising space being abused to exploit vulnerable apps and deliver malicious software. There’s even a name for it: malvertising.

And as if that isn’t enough, there have occasionally been vulnerabilities where – for example – simply receiving a specially crafted message can breach a phone’s security and lead to the owner’s private information being extracted. When you consider that your phone could receive an unsolicited message from anyone in the world, you realise how severe such a vulnerability is: no amount of ‘being careful’ can reduce your chance of becoming a victim.

Disclosure and patching

People with the necessary time and skill, from many walks of life, seek out vulnerabilities in software. Some of these security researchers are employed by companies, some are self-employed, and some pursue it as a hobby. If they find a vulnerability, they report it to the developer, typically agreeing to keep the discovery private while the developer works to fix it. This is known as responsible disclosure, and researchers may receive money, called a bug bounty, in return.

The developer then releases a patch to fix the bug, or an updated version of the software with the bug removed. This makes the software immune to attempts to exploit it that way.

So, in the dark cloud of bugs caused by software’s unending evolution, the silver lining is that this very same process can be used to fix bugs — and to deliver those fixes to customers.

Zero-day vulnerabilities

Unlike a well-intentioned researcher, a nefarious individual discovering a vulnerability may take advantage of it themselves, or sell details on a kind of black market. Consequently, the first a company may hear of a vulnerability in its software is when it’s seen being exploited in the wild. This is particularly dangerous because no patch is yet available; we call it a zero-day vulnerability.

It’s rumoured that governments are some of the highest bidders for knowledge of zero-day vulnerabilities, for potential use against other nation states in cyber warfare.

Obsolescence

Developing patches is expensive. Testing must be done, too, to check that fixing one bug hasn’t introduced another. So, after a while, software companies will stop updating older products in order to focus on their newer ones.

Newer software may require more computing resources or particular hardware, so some updates are available only for more recent or more highly-specified devices.

If you’re using an old version of an app that is unsupported – or if your device is too old or not powerful enough to run a current operating system – you’re left with reduced security. For this reason you may sometimes be advised to replace an ageing computer, tablet or phone even though it isn’t broken.

What you can do

If you found this useful, you can support my work by buying me a coffee.