Sunday, December 21, 2008

I thought I had updated

A few days ago, like many IT people worldwide, I received a distressed call from a friend about the recent Microsoft Internet Explorer issue that they had seen all over the media. What did they need to do? I told them that they had to run a Microsoft Update from their browser. Having never done this (first bad sign) I had to given them an idea of what needed to be done. They were much calmer now knowing what make then safe. After not hearing again from them after a few day I assumed all was fine.

I was actually visiting this same friend today so I thought I’d just take a look at their system to ensure that it had been updated. I was amazed to find that the machine was not up to date at all and in fact was still vulnerable. After starting the update process I quizzed my friend as to why they hadn’t updated. Their reply was “I thought I had”.

So what happened? In theory Microsoft Update is only for Microsoft to inform the user about patches that need to be applied to the system. That is UNLESS they haven’t installed Service Pack 3 for Windows XP! If that hasn’t been installed you’ll see a screen like this:


 The top option, and the one most likely to be picked by unsuspecting users like my friend, is to install Windows XP Service Pack 3 and no other updates. So what happened is my friend pushed the top button, not reading the actual instructions on the page, as non-computer people do, and merely installed Windows XP Service Pack 3 on their machine and nothing else.

Was their machine still vulnerable? Yes. Were they likely to run another update? Nope. Chalk up another win for the bad guys. This time in my books it really is an own goal on Microsoft’s part. Sure Windows XP Service Pack 3 is important but it isn’t a critical update. Being the first choice on the screen it is what most users (who aren’t computer people) are going to select in their quest to be “safe” given all the hysteria. Microsoft updates should be for critical updates only and if you are going to put a message about a Service Pack make it the second choice. Microsoft, please remember, most people have no idea about technology.

Perhaps I should have told my friend to keep running Microsoft Update until there were no more updates. Perhaps they should have read the update screen more carefully. Maybe, maybe, maybe. Yet it only takes one maybe for an attacker to compromise a system. Once they get control, your only real option is to reformat and reload, today’s malware is just too sophisticated for any cleaning tool to deal with 100% effectively. To guarantee that your system is clean after an infection the only option is a complete reload. Who wants to do that? No-one but the odds are stacked in an attackers favour. Why? You need to defend your system against EVERY threat in Windows, Office, iTunes, Acrobat and piece of software you have installed on your machine. Not just Windows, the lot. An attacker only needs to exploit ONE SUCCESSFULLY and they can have control. So who’s got the better odds? It certainly isn’t you!

It further illustrates to me the divide between those that develop IT systems and those that use them. The void between the level developers believe users are and where they actually are is immense and getting bigger everyday. Wasn’t technology supposed to get easier? The reality is that is only getting easier for attackers to compromise systems. What does that say for a system we put so much faith in these days. Our common technology is built on very shaky ground, very shaky indeed.