Significant security concerns … on your computer … must not be ignored.
This is the third and last of a series of posts on this topic. Note I will use ‘3rd Party app’, ‘apps’ and ‘Third Party Software’ interchangeably throughout these postings.
In the last post I covered ‘How many 3rd party apps do you think you have on your computer?’ and you likely learned you have many more than you ever imagined. (Average is 14-18 per computer with 80% of computers having 10 or more, 50% having 15 or more.)
Now it’s time to talk about the surprising frequency and number of updates these third party applications have. And a wake up call that most of them have updates that you haven’t known about and thus are not up-to-date on your system. And some information about why don’t you know about them, why is your software so out of date, what are the risks (damned if you do, damned if you don’t) concerning updating third party software and how can you get ‘Peace of Mind’ with this whole topic!
- How many updates? How often are these updates, really?
Across the 54 apps users of our user base use (users just like you) there have been 145 updates in just the first 120 days of 2015! That’s more than one update every day for the first 4 months of this year! And remember we are not talking about your regular Microsoft updates. These are updates to some known (and many unknown to many users like yourself) third party software applications that are on your computer, that you depend on, that you hope and expect are secure.
Click here to see there have really been MORE updates than that.
Of the over 100 apps we monitor on a daily basis there have been about 240 updates so far this year. That’s a two per day average!
Subscribers to Ingalls Computer Services Managed Service Plans do not have to worry about this. Click here to find out why they have 'Peace of Mind' that this is taken care of for them.
Customers of our Managed Services Plans (residential users and businesses) usually subscribe to a plan that takes care of updating most of their third party software for them.
This is not a matter of luxury or convenience … it is a vital aspect of keeping their computers *secure* and ‘clean’ (as you will see very clearly later on.)
For our users these updates appear to be done ‘automatically’ and without interrupting use of their computer. There are a few updates that are a bit special and do occasionally require us to wait for the right moment to do the update. And in some very rare cases, for some very special updates, we may need to take a few extra steps and alert you that we have a special update for you and provide you options for when it’s best to do that update for you. But for the most part our users do not have to concern themselves or worry about any ‘pop-up’ from an application telling them there’s an update to make. We do it for them! Our advice to our customers on one of the plans mentioned above is to ignore or postpone any notices for updates to software. We will likely take care of the update for them in a matter of hours or days. If it continues to pop-up or they are concerned then we encourage them to contact us so we can best advise them if the update is ‘legit’ or not and what to do about it.
What’s even better about us taking care of the updates for YOU is that we work hard to make sure that all updates we make do NOT come with unwanted extra software, do NOT change your web browser’s ‘homepage’ or search provider. These are all common outcomes for people that just ‘click thru’ and blindly say ‘OK’ to updates offered to them from other sources. This is NOT the case for subscribers to Ingalls Computer Services Managed Service Plans. They get the updates they need without any extra junk or surprise changes to their system.
Some FAQ’s (Frequently Asked Questions) and then a wrap-up …
Q: How come I only see 3 or 4 offers for updates a few times a year but you've just told me there are many *more* updates? Why am I not seeing messages about all these other updates?
A: Java and Adobe Flash are common to many so lets use them as examples. Both are used so much on the internet that when there is a security issue it becomes big news. It has the potential to affect many people. As a result these companies have taken a proactive approach to try and let people know about new releases. Apple’s iTunes has a commercial incentive to keep your iTunes (and iTunes Store) functionality working great and securely (financial transactions.) But many other third party applications expect that people will keep on top of what’s the most current version of that particular software and update it themselves. Some applications do check for an update but ONLY when you go to run them which is not usually the time you want to stop what you are doing to install their update. Chrome, Firefox and others do a lot of updating on their own for you but there are times when you’ve got to know when you might need to do the update yourself or be pestered by a company that there is a special version you need to update on your own. So in the end most people remember seeing updates for Java, Flash, iTunes and a few others but there are so many additional applications on your computer that also need to be kept up-to-date and you likely don’t realize it.
Q: Aren't those 3 or 4 vendors that do offer updates the most important ones? What's the big deal about any others? If they were important wouldn't they tell me?
A: Yes and No. Yes, the ones that offer updates (and the few that do so automatically most of the time) are very important and usually the most important. However consider something like ‘Skype’. Skype has a slight security concern which as of this writing I do not know is fixed. Apparently it’s not too hard for someone to fool Skype to turn on without your permission and end up being able to listen to whatever conversations the user might be able to listen to from your microphone or Android phone. See: ‘Serious Privacy Vulnerability In Skype For Android Discovered, Here’s How It Works’ for details. Skype is now owned by Microsoft so you probably will get an update from Microsoft when they fix that. How about reading PDF files? Many people use Adobe’s PDF reader but many others use Foxit, PDF-XChange Viewer or some other reader. PDF files can have some pretty special stuff in them. If there’s a security issue then you really want to make sure your PDF reader software is up-to-date. The same can be said for most any software. It’s all written by imperfect humans. Combine that with the possibility of bugs in other pieces of software (including your operating system) and you have conditions that could be abused and become a security threat. The responsibly of keeping our software up-to-date ultimately falls upon each of us.
Q: Are these updates really necessary? Why are they so important?
A: If an update fixes a security or privacy issue then YES they are important no matter whether it’s a very familiar application or a more specific third party software application you use. If you use any one of several different PDF programs to fill-in forms, sign, password protect or just to view confidential information then you want to make sure that program is up-to-date. If you play games or puzzles then you want to make sure that not only Flash and Java are up-to-date but also Shockwave and Silverlight. If you use any software that asks you to login when you use it (or perhaps remembers your username and password) then you not only want to make sure your username and password are good ones but you also want to make sure that the software used to handle the login process is up-to-date, secure and doesn’t have any privacy holes in it!
Q: Even for the most common applications, can't I rest assured they are always up-to-date?
No. Not really. There are many times when software you are using can’t updated while it’s currently running on your system. You begin to realize this is a bigger issue when you consider how many applications are setup to start running when Windows starts (or we are quick to start using them once Windows is up and running.) Some that come to mind (there are many more than this) include: Dropbox and many other file sharing / cloud based solutions, Skype, Printer Monitoring software, Remote Access, Spotify, Malwarebytes, SUPERAntiSpyware and so many more.
Now I should give credit that some of these companies do try to let you know there is an update even if it means having to temporarily shutdown the application to do the update. But not all of them let you know about updates. Some only inform you of a select few updates but not others updates they also have released. [And I’ve already said … some don’t tell you at all that there’s an update available.]
Not to pick on Skype but since its familiar to most it makes for a tangible example to use. Also note that the point I’m about to make is NOT unique to Skype either. It’s just an example but one that happens with many software applications. Skype has alerted users a few times this past year that they have a new improved version for users to update to. (Actually I can only think of two times but I’ll be generous here. Also now that Microsoft has control of Skype it’s now part of the Microsoft Update process there currently is a Skype update in the “Recommended Update” class of updates.) But back to the few times I’ve noticed Skype alerting me to an update this year. Compare that with the information I have that there have been 11 updates of Skype during that same time (the first 4 months of 2015.) I am pretty certain that I have not seen 11 different notices of updates for Skype but only a few.
I realize this is long and my apologies but I’m just about to the point I want to make here … there are many different ways a person could either run an update or have someone update their software for them. The issue and example here is that for many of those 11 updates there were ways people could have tried to update Skype (especially if they had someone try and do it automatically and they didn’t do a good job at it) and the Skype application would just fail to get updated. The reason being that the update process used (not Skype’s process) was trying to update an application that was already running and it failed to be able to do so. So until such time that someone decided to do an official Skype update (or take proper measures to quit Skype before attempting the update) you could be running for a long time with an out dated version of Skype. [At Ingalls Computer Services we monitor how our updates are working and if we see there’s an issue then we take extra steps to design an update that *will* work for our users.]
Q: How do I find out about what other updates I need if they aren't being offered by Microsoft and the third party software vendors aren't alerting me?
A: Signup to have ICS take care of it for you is the easy answer! You want to do it yourself? It’s going to take time and likely cost you something. You could try and be diligent and make a list of your apps and take time once a week or month to go to each vendors website and check the version and compare it to what you have (UGH!). You could find one of a few websites that try and provide announcements of when vendors release updates to their software. Very time consuming as well. There are some tools and services that try to do exactly what we do but you’ll have to do research to determine if they are legitimate, how well they will cover your needs, and does the benefit and level of service justify the cost. I’m biased. Sign up for one of our plans and know that we are taking care of this for you and gain ‘Peace of Mind’ about this whole subject.
Q: Should I always answer 'Yes' to any updates being offered? (NO - click to read why.)
A: NO. I want to say ‘Yes’ that you should update legitmate offers to update software (but even still you will have a lot of software that isn’t getting updated because no updates are being offered even though updates are available for them.)
There are TWO main problems with just saying “Click ‘OK’ or ‘Yes’ on all offers”.
The FIRST big problem is that there are many FAKE and malicious attempts to fool people into seeing a message that software on their system requires and update when in fact it’s not a legitimate offer but a scam, malware or virus. JUST ONE WRONG CLICK and you can potentially infect your computer to the point that it is rendered useless. We have had customers come to us that visited a website and while working on their computer a message popped up that looked 100% official. They clicked and it started a whole process of bad software being installed and taking over their system.
Here’s a recent example. This pop-up came up on a users computer and they didn’t have good security software and they were sure this was ‘real’ (I was shocked at how real it looked as well!) Wouldn’t you think the following image looks pretty official and correct?
A rather convincing FAKE Adobe Flash update prompt
Click on this and you will have given the “OK” for malicious software to be installed instantly on your computer … and it is NOT Adobe Flash player software! Better security software will hopefully recognize the attack and stop it. However no security software can guarantee 100% protection these days *and* if the software you agreed to be installed isn’t considered to be highly dangerous (perhaps just annoying ‘snake oil’ scam software) then your security software might conclude that you really do want this junk installed and allow it to be installed.
Also take note that the best of these ‘windows’ are designed so that no matter *where* you click in that window you will trigger the download and installation! You can’t even close the Window with normal methods without risk! If you get a window like this that you aren’t sure of then seek professional help before clicking and before it’s too late!
SECOND issue … much of the third party software we use comes loaded with extra unwanted junk software. The windows you click to ‘agree’ to install the software are designed rather cleverly so this unwanted software is preselected to be installed. You ‘OK’ or ‘Agree’ to the terms and do it so quickly that many of us fail to see the already selected offer to install this extra unwanted software. How many of you have now or at one time found that any one of the following have happened and you don’t have a clue how it happened?
- Your browser’s homepage has been changed from what you use to have it be.
- Your search provider is no longer the one you are used to and depend on but some strange new search provider has taken it’s place.
- You suddenly are getting “Security Scan” software popping up and running without notice each day or every few days (perhaps even from a legitimate security company) informing (or trying to scare) you of ten’s to hundred’s of issues on your computer and asking you to click through to purchase their produce to fix them. You may already have perfectly fine security software. What they are reporting many times is nothing to be alarmed of and are just tactics to try and get you to purchase their product. In the worst cases the product itself is a fake and you will be scammed into purchasing it.
- You suddenly realize your browser for accessing the internet has *extra* tool bars at the top of the window! Perhaps special ‘search’ area, offers for coupons, buttons for who knows what!
In short – you’ve got to be diligent in examining every window you click in to see if there isn’t something you are about to unexpectedly agree to get installed on your computer in the middle of trying to get a legitimate update installed. And the way these items are worded and how they are preselected or not selected can be very tricky to figure out what’s the best way to respond so you only get the update you want and none of the extra junk!
NONE OF THIS HAPPENS when Ingalls Computer Services does updates for you. We try our hardest to make sure that you get ONLY the update and none of the extra junk software or changes to your computer! When you are on one of our Managed Service Plans that includes third party software updating then we not only take care of the updating – we keep the junk from coming along with the updates!
Q: I'm confused. You've told me how important it is to keep these up-to-date but you also just said not to just answer 'Yes' to any updates being offered. Please explain and what am I supposed to do (or what should I look out for) so I can do the best thing for my computer?
A: Actually you can find the answers up above. In short you need to be extremely careful and have good security software. If you now recognize that keeping your third party software up-to-date is as important as keeping Windows and your security software up-to-date then the best and easiest answer may be to consider the value of a Ingalls Computer Services Managed Services Plan that includes doing the updates for you. Our plans offer many features. Third party software updating is just one of them.
Q: What will happen if I just ignore them and tell them to go away? What if I only deal with those that offer updates?
A: If you ignore the updates then you will be exposing your computer, your personal information, your security to increasing chances of threats. The same is true if you only take care of carefully dealing with those few notices of updates and not realize and take care of the many other applications that need to be updated.
Two quick examples.
The first is Java. Java is actually good at letting the world know how many security fixes are in their updates so this will be useful for us below. The latest major version of Java as of this writing is version 8 (8u45 to be exact). However we find many people have very old versions of Java on their computer. Some have Java version 6! Java 6 was supported from around 2007 until it’s last public release April 2013. Some have Java 7. Java 7 was supported from 2011 until it’s last public release this April 2015. The good news is the Java developers have tried very hard to be proactive about informing people of updates and even removing obsolete versions of Java in the process (they didn’t use to do this but they do now.) The bad news is that if you either ignored, turned off or just didn’t do updates (especially for the older versions) then you are missing out on literally hundreds of security updates. (As a tech support person, finding someone still using just Java 6 is just plain scary and beyond belief.) There are serious security issues with some very old versions of Java and it is critical that you have your Java up-to-date. As for the future … the same could happen. Security issues are likely to be found as people use and add to Java and so it would do you well to make sure you keep your Java up-to-date. Remember this is just one example. Java is not *bad* software and the issues they have are no different than any software vendor could have.
Second example is Firefox. Again, like Java above, Mozilla Firefox is really very good about updating. If you have version of Firefox from the past few years it likely updates itself (at least for major / important updates) as you use the browser. This is great. However the following example is all too common. I have come across customers that have Firefox installed on their computer but they haven’t used it in years. In a very recent encounter with a customer they had Firefox version 3.6.3 installed from 2010! It’s 2015 and the current version of Firefox is version **38**! Now if that user isn’t using Firefox (meaning they never open it or run it) then it’s not much of a security threat. However if the day came when they were advised to use Firefox or another user were to use that old Firefox then they will be using a 5 year old version that is 35 versions behind the current one. The number of fixes, improvements and likely security fixes they are missing would be huge. (When I saw that situation I updated their Firefox to the most recent version.) Now some people might say ‘but I don’t have any reason or need to use Firefox and I don’t even know why it’s on my computer … so what’s the risk or chance that I really would ever use it since I don’t now?’ The problem is there are times when one of the other browsers (Internet Explorer, Chrome, etc.) have a serious security flaw and people are advised to temporarily use an alternative browser. The following is old news and no longer applies but this exact scenario happened in the spring of 2014. You can read more about it from this CNET article: ‘Stop Using Microsoft’s IE Browser until Bug Is Fixed, US and UK Warn – CNET.’ People were advised to use Firefox, Chrome, Safari or some alternate browser until IE could be fixed – which it did get fixed.
What can I do so I don’t have to deal with this issue? How can I have ‘Peace of Mind’ knowing it’s all being taken care of for me?
- Let Ingalls Computer Services take care of it for you!!!
Call us and subscribe to one of our Managed Services Plans. Don’t skimp on this. This is important.
- In other words: You do nothing! Sit back and we take care of the updates for you. You get ‘Peace of Mind’ knowing your software is being looked after and updated. You won’t get unwanted extra software, toolbars or surprise changes from the updates. You don’t need to worry about any pop-ups telling you about updates*. Just let us take care of them for you.
Want more detail. This link takes you back up to the area above that explains ‘Why subscribers to Ingalls Computer Services Managed Service Plans do not have to worry about this.’
*There are occasional times when Ingalls Computer Services may have a pop-up about updates but this usually is not the case. The times we need to are very few. The advantage is you know these pop-ups from Ingalls Computer Services (if we even need to use one) can be trusted and they are there to provide you the extra service necessary for some special case updates.
References for links included in this post:
Rehman, Zayed. “Serious Privacy Vulnerability In Skype For Android Discovered, Here’s How It Works.” Redmond Pie. Redmond Pie, 24 Dec. 2014. Web. 21 May 2015. <http://www.redmondpie.com/serious-privacy-vulnerability-in-skype-for-android-discovered-heres-how-it-works/>.
Rosenblatt, Seth. “Stop Using Microsoft’s IE Browser until Bug Is Fixed, US and UK Warn – CNET.” CNET. CBS Interactive Inc., 28 Apr. 2014. Web. 22 May 2015. <http://www.cnet.com/news/stop-using-ie-until-bug-is-fixed-says-us/>.