Security Concerns about Third Party Software on your computer (part 3)

Of the over 100 apps we monitor on a daily basis there have been about 240 updates so far this year. That’s a two per day average!

Customers of our Managed Services Plans (residential users and businesses) usually subscribe to a plan that takes care of updating most of their third party software for them.

This is not a matter of luxury or convenience … it is a vital aspect of keeping their computers *secure* and ‘clean’ (as you will see very clearly later on.)

For our users these updates appear to be done ‘automatically’ and without interrupting use of their computer. There are a few updates that are a bit special and do occasionally require us to wait for the right moment to do the update. And in some very rare cases, for some very special updates, we may need to take a few extra steps and alert you that we have a special update for you and provide you options for when it’s best to do that update for you. But for the most part our users do not have to concern themselves or worry about any ‘pop-up’ from an application telling them there’s an update to make. We do it for them! Our advice to our customers on one of the plans mentioned above is to ignore or postpone any notices for updates to software. We will likely take care of the update for them in a matter of hours or days. If it continues to pop-up or they are concerned then we encourage them to contact us so we can best advise them if the update is ‘legit’ or not and what to do about it.

What’s even better about us taking care of the updates for YOU is that we work hard to make sure that all updates we make do NOT come with unwanted extra software, do NOT change your web browser’s ‘homepage’ or search provider. These are all common outcomes for people that just ‘click thru’ and blindly say ‘OK’ to updates offered to them from other sources. This is NOT the case for subscribers to Ingalls Computer Services Managed Service Plans. They get the updates they need without any extra junk or surprise changes to their system.

A: Java and Adobe Flash are common to many so lets use them as examples. Both are used so much on the internet that when there is a security issue it becomes big news. It has the potential to affect many people. As a result these companies have taken a proactive approach to try and let people know about new releases. Apple’s iTunes has a commercial incentive to keep your iTunes (and iTunes Store) functionality working great and securely (financial transactions.) But many other third party applications expect that people will keep on top of what’s the most current version of that particular software and update it themselves. Some applications do check for an update but ONLY when you go to run them which is not usually the time you want to stop what you are doing to install their update. Chrome, Firefox and others do a lot of updating on their own for you but there are times when you’ve got to know when you might need to do the update yourself or be pestered by a company that there is a special version you need to update on your own. So in the end most people remember seeing updates for Java, Flash, iTunes and a few others but there are so many additional applications on your computer that also need to be kept up-to-date and you likely don’t realize it.

A: Yes and No. Yes, the ones that offer updates (and the few that do so automatically most of the time) are very important and usually the most important. However consider something like ‘Skype’. Skype has a slight security concern which as of this writing I do not know is fixed. Apparently it’s not too hard for someone to fool Skype to turn on without your permission and end up being able to listen to whatever conversations the user might be able to listen to from your microphone or Android phone. See: ‘Serious Privacy Vulnerability In Skype For Android Discovered, Here’s How It Works’ for details. Skype is now owned by Microsoft so you probably will get an update from Microsoft when they fix that. How about reading PDF files? Many people use Adobe’s PDF reader but many others use Foxit, PDF-XChange Viewer or some other reader. PDF files can have some pretty special stuff in them. If there’s a security issue then you really want to make sure your PDF reader software is up-to-date. The same can be said for most any software. It’s all written by imperfect humans. Combine that with the possibility of bugs in other pieces of software (including your operating system) and you have conditions that could be abused and become a security threat. The responsibly of keeping our software up-to-date ultimately falls upon each of us.

A: If an update fixes a security or privacy issue then YES they are important no matter whether it’s a very familiar application or a more specific third party software application you use. If you use any one of several different PDF programs to fill-in forms, sign, password protect or just to view confidential information then you want to make sure that program is up-to-date. If you play games or puzzles then you want to make sure that not only Flash and Java are up-to-date but also Shockwave and Silverlight. If you use any software that asks you to login when you use it (or perhaps remembers your username and password) then you not only want to make sure your username and password are good ones but you also want to make sure that the software used to handle the login process is up-to-date, secure and doesn’t have any privacy holes in it!

No. Not really. There are many times when software you are using can’t updated while it’s currently running on your system. You begin to realize this is a bigger issue when you consider how many applications are setup to start running when Windows starts (or we are quick to start using them once Windows is up and running.) Some that come to mind (there are many more than this) include: Dropbox and many other file sharing / cloud based solutions, Skype, Printer Monitoring software, Remote Access, Spotify, Malwarebytes, SUPERAntiSpyware and so many more.

Now I should give credit that some of these companies do try to let you know there is an update even if it means having to temporarily shutdown the application to do the update. But not all of them let you know about updates. Some only inform you of a select few updates but not others updates they also have released. [And I’ve already said … some don’t tell you at all that there’s an update available.]

Not to pick on Skype but since its familiar to most it makes for a tangible example to use. Also note that the point I’m about to make is NOT unique to Skype either. It’s just an example but one that happens with many software applications. Skype has alerted users a few times this past year that they have a new improved version for users to update to. (Actually I can only think of two times but I’ll be generous here. Also now that Microsoft has control of Skype it’s now part of the Microsoft Update process there currently is a Skype update in the “Recommended Update” class of updates.) But back to the few times I’ve noticed Skype alerting me to an update this year. Compare that with the information I have that there have been 11 updates of Skype during that same time (the first 4 months of 2015.) I am pretty certain that I have not seen 11 different notices of updates for Skype but only a few.

I realize this is long and my apologies but I’m just about to the point I want to make here … there are many different ways a person could either run an update or have someone update their software for them. The issue and example here is that for many of those 11 updates there were ways people could have tried to update Skype (especially if they had someone try and do it automatically and they didn’t do a good job at it) and the Skype application would just fail to get updated. The reason being that the update process used (not Skype’s process) was trying to update an application that was already running and it failed to be able to do so. So until such time that someone decided to do an official Skype update (or take proper measures to quit Skype before attempting the update) you could be running for a long time with an out dated version of Skype. [At Ingalls Computer Services we monitor how our updates are working and if we see there’s an issue then we take extra steps to design an update that *will* work for our users.]

A: Signup to have ICS take care of it for you is the easy answer! You want to do it yourself? It’s going to take time and likely cost you something. You could try and be diligent and make a list of your apps and take time once a week or month to go to each vendors website and check the version and compare it to what you have (UGH!). You could find one of a few websites that try and provide announcements of when vendors release updates to their software. Very time consuming as well. There are some tools and services that try to do exactly what we do but you’ll have to do research to determine if they are legitimate, how well they will cover your needs, and does the benefit and level of service justify the cost. I’m biased. Sign up for one of our plans and know that we are taking care of this for you and gain ‘Peace of Mind’ about this whole subject.

A: NO. I want to say ‘Yes’ that you should update legitmate offers to update software (but even still you will have a lot of software that isn’t getting updated because no updates are being offered even though updates are available for them.)

There are TWO main problems with just saying “Click ‘OK’ or ‘Yes’ on all offers”.

The FIRST big problem is that there are many FAKE and malicious attempts to fool people into seeing a message that software on their system requires and update when in fact it’s not a legitimate offer but a scam, malware or virus. JUST ONE WRONG CLICK and you can potentially infect your computer to the point that it is rendered useless. We have had customers come to us that visited a website and while working on their computer a message popped up that looked 100% official. They clicked and it started a whole process of bad software being installed and taking over their system.

Here’s a recent example. This pop-up came up on a users computer and they didn’t have good security software and they were sure this was ‘real’ (I was shocked at how real it looked as well!) Wouldn’t you think the following image looks pretty official and correct?

Click on this and you will have given the “OK” for malicious software to be installed instantly on your computer … and it is NOT Adobe Flash player software! Better security software will hopefully recognize the attack and stop it. However no security software can guarantee 100% protection these days *and* if the software you agreed to be installed isn’t considered to be highly dangerous (perhaps just annoying ‘snake oil’ scam software) then your security software might conclude that you really do want this junk installed and allow it to be installed.

Also take note that the best of these ‘windows’ are designed so that no matter *where* you click in that window you will trigger the download and installation! You can’t even close the Window with normal methods without risk! If you get a window like this that you aren’t sure of then seek professional help before clicking and before it’s too late!

SECOND issue … much of the third party software we use comes loaded with extra unwanted junk software. The windows you click to ‘agree’ to install the software are designed rather cleverly so this unwanted software is preselected to be installed. You ‘OK’ or ‘Agree’ to the terms and do it so quickly that many of us fail to see the already selected offer to install this extra unwanted software. How many of you have now or at one time found that any one of the following have happened and you don’t have a clue how it happened?

• Your browser’s homepage has been changed from what you use to have it be.
• Your search provider is no longer the one you are used to and depend on but some strange new search provider has taken it’s place.
• You suddenly are getting “Security Scan” software popping up and running without notice each day or every few days (perhaps even from a legitimate security company) informing (or trying to scare) you of ten’s to hundred’s of issues on your computer and asking you to click through to purchase their produce to fix them. You may already have perfectly fine security software. What they are reporting many times is nothing to be alarmed of and are just tactics to try and get you to purchase their product. In the worst cases the product itself is a fake and you will be scammed into purchasing it.
• You suddenly realize your browser for accessing the internet has *extra* tool bars at the top of the window! Perhaps special ‘search’ area, offers for coupons, buttons for who knows what!

In short – you’ve got to be diligent in examining every window you click in to see if there isn’t something you are about to unexpectedly agree to get installed on your computer in the middle of trying to get a legitimate update installed. And the way these items are worded and how they are preselected or not selected can be very tricky to figure out what’s the best way to respond so you only get the update you want and none of the extra junk!

NONE OF THIS HAPPENS when Ingalls Computer Services does updates for you. We try our hardest to make sure that you get ONLY the update and none of the extra junk software or changes to your computer! When you are on one of our Managed Service Plans that includes third party software updating then we not only take care of the updating – we keep the junk from coming along with the updates!

A: Actually you can find the answers up above. In short you need to be extremely careful and have good security software. If you now recognize that keeping your third party software up-to-date is as important as keeping Windows and your security software up-to-date then the best and easiest answer may be to consider the value of a Ingalls Computer Services Managed Services Plan that includes doing the updates for you. Our plans offer many features. Third party software updating is just one of them.

A: If you ignore the updates then you will be exposing your computer, your personal information, your security to increasing chances of threats. The same is true if you only take care of carefully dealing with those few notices of updates and not realize and take care of the many other applications that need to be updated.

Two quick examples.

The first is Java. Java is actually good at letting the world know how many security fixes are in their updates so this will be useful for us below. The latest major version of Java as of this writing is version 8 (8u45 to be exact). However we find many people have very old versions of Java on their computer. Some have Java version 6! Java 6 was supported from around 2007 until it’s last public release April 2013. Some have Java 7. Java 7 was supported from 2011 until it’s last public release this April 2015. The good news is the Java developers have tried very hard to be proactive about informing people of updates and even removing obsolete versions of Java in the process (they didn’t use to do this but they do now.) The bad news is that if you either ignored, turned off or just didn’t do updates (especially for the older versions) then you are missing out on literally hundreds of security updates. (As a tech support person, finding someone still using just Java 6 is just plain scary and beyond belief.) There are serious security issues with some very old versions of Java and it is critical that you have your Java up-to-date. As for the future … the same could happen. Security issues are likely to be found as people use and add to Java and so it would do you well to make sure you keep your Java up-to-date. Remember this is just one example. Java is not *bad* software and the issues they have are no different than any software vendor could have.

Second example is Firefox. Again, like Java above, Mozilla Firefox is really very good about updating. If you have version of Firefox from the past few years it likely updates itself (at least for major / important updates) as you use the browser. This is great. However the following example is all too common. I have come across customers that have Firefox installed on their computer but they haven’t used it in years. In a very recent encounter with a customer they had Firefox version 3.6.3 installed from 2010! It’s 2015 and the current version of Firefox is version **38**! Now if that user isn’t using Firefox (meaning they never open it or run it) then it’s not much of a security threat. However if the day came when they were advised to use Firefox or another user were to use that old Firefox then they will be using a 5 year old version that is 35 versions behind the current one. The number of fixes, improvements and likely security fixes they are missing would be huge. (When I saw that situation I updated their Firefox to the most recent version.) Now some people might say ‘but I don’t have any reason or need to use Firefox and I don’t even know why it’s on my computer … so what’s the risk or chance that I really would ever use it since I don’t now?’ The problem is there are times when one of the other browsers (Internet Explorer, Chrome, etc.) have a serious security flaw and people are advised to temporarily use an alternative browser. The following is old news and no longer applies but this exact scenario happened in the spring of 2014. You can read more about it from this CNET article: ‘Stop Using Microsoft’s IE Browser until Bug Is Fixed, US and UK Warn – CNET.’ People were advised to use Firefox, Chrome, Safari or some alternate browser until IE could be fixed – which it did get fixed.