10 Critical Steps to Survive a Ransomware Attack, Step 2: Patch, Patch, Patch.

What are software patches? Patches are fixes for “bugs,” or flaws in programs. While some people still like to say “computers don’t make mistakes,” one must remember that computers are designed, built, and programmed by humans… and humans certainly make mistakes. Software patches are created when a problem is found, and the author of the program fixes it. To take advantage of this fix, you must install the update on your system.
Sometimes patches are minor, and may look like an addition to the version number of the program. An example of this would be Microsoft Internet Explorer 11.0.29. In this case, the major version number is 11, with a minor version of 0.29. Essentially this means that there have been approximately 29 updates to Internet Explorer version 11. I say “approximately” because sometimes software publishers will skip releasing minor versions, so, for example, Microsoft may never have released Internet Explorer 11.0.28, and skipped straight to 11.0.29.
So what do these patches do? They fix problems with the software. Often these problems are relatively benign, like fixing a problem with the way the mouse cursor shows up on your screen. But sometimes they are extremely serious. For instance, Microsoft recently issued a patch to its Windows operating system that allowed for “remote code execution.” This is techspeak for “the ability for a third party to run programs on your computer without your permission or knowledge.”
If that sounds scary, it should, because it means these flaws result in the ability for hackers to completely take over your system from anywhere in the world over the Internet if it has not been properly secured.
So what do you do? Even if you configure your computer to automatically update itself, third party applications (things like Microsoft Office, Oracle Java, and Adobe Reader) often do not do so without the user’s interaction. This means that someone has to click a button in a pop-up message to approve the upgrade process, and often this requires them having administrative rights over their computer.
The problem is that malware often disguises itself to look like a legitimate software update. For example, take a quick look at these software update notices.
 jupdate1jupdate2 jupdate3 jupdate4
Can you tell which ones are legitimate and which ones are fake? Upon casual observation, even the most savvy user may mistake the fake ones for real because they are that similar*. The solution is to not present end users with these popups at all, instead having these updates managed by an IT administrator who approves legitimate patches and serves them up to systems as needed, without asking for the end-user’s interaction. Then, training users to never click on popups and immediately notify their IT staff if something like this is detected.
To Update, or Not to Update
Sometimes I hear that people do not want to install any updates because they may cause problems. “But Peter! I installed a software update on my system once, and it completely crashed!” This is like saying “I had the oil changed in my car once, and they didn’t do it right, causing engine damage. So now I never change the oil.
Yes, it is true that – on rare occasions – software updates themselves may contain bugs and can destabilize your system. As said, these cases are rather rare, and in most instances, you are much better off taking the updates. However, the best practice is to have test systems in place so that patches can be tested prior to being installed on production systems. This is something you should work with your IT provider on. If this is not possible, then the next best thing is to set aside a computer (or small group of representative computers), and apply patches and updates there as soon as they are available, monitor the system for problems for a few days, then apply the patch to the rest of your systems. Obviously this is not a very formal method, but it’s greatly preferred to not patching at all (or patching “when I get around to it”).

* The first one is legitimate. The second one could be, or could be a fake. The last two are clearly fake websites made to look like Windows Software Update notices.

If you’d like to hear this article discussed in podcast form, it is available as an episode of the Blurring the Lines Podcast. Or, you can continue reading part three.

Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.