When I was about 13 years old, my neighbors put a pool in their back yard. However, they failed to put a fence around it. My sister at the time was only four years old, and there were many people her age in the neighborhood. In our community there was an ordinance that required such fences, but the neighbors ignored it, as they did my parents’ pleas.
While you can question the wisdom of letting a four year old walk around on his or her own, at the time it was the norm for our community, and one day little Donald was on his own, dangling his feet in the neighbor’s unsupervised pool. After running out of our house as fast as she could and pulling Donald away from the pool, my mother filed a complaint, causing the neighbors to have to pay a fine. Donald’s parents could have sued.
Our neighbors created an attractive nuisance and needed to be held accountable. While not exactly the same, regularly updating your software with the latest versions does reduce a computer’s exposure to vulnerabilities. What’s more, there is a well known network effect of doing so. When you patch your software, not only do you protect your computer against attack by others, but you also prevent your computer from being used as a vehicle to attack others. Put another way, not patching your software makes your system a nuisance to others. The bad guys know this. One study by Jianwei Zhuge, et al, shows that exploits often appear in the wild before or very shortly after a patch is released. A position paper written by Ross Anderson, et al., for ENISA will tell you which vendors are better and which are worse at patching.
A new study released this week by people at the ETH, Google, and IBM shows that in the best case with Firefox, no more than 83% of users patch their browsers. The worst case is Internet Explorer, where you are more than likely not to have the latest patch.
What does all this say? First of all it says that Firefox is probably doing a pretty good job. One wonders what is going on with the 17% of individuals who do not patch their browsers. Perhaps we have another case of rational ignorance, as I discussed previously. The study also says that Microsoft could do a better job. Part of Microsoft’s problem is that they have previously released “security” patches that do more than fix security problems. Distribution of Windows Genuine Advantage, which has been called a form of spyware, degraded peoples’ trust in Microsoft.
Apple isn’t all that much better than Microsoft. For one, their patch rates are actually slower than that of Microsoft. For another, Safari 3 broke stuff, which is precisely why many people do not upgrade. Sun and HP are even worse.
Much as we like to blame vendors, in some cases we have nobody to blame but ourselves. Here is something to do. Check that you are running the latest version of the software you use. If you use anything more than the standard application suite for your computer, there is a very good chance you are out of date.