Why you should keep internet-facing software up-to-date

30th October 2014

Security, security, security, security

Let me emphasise a simple fact. All non-trivial internet facing programs have many security vulnerabilities. But most of them are unknown, and since no-one knows about them, no-one exploits them. The security of a program depends on the number of known unfixed security vulnerabilities, not the total.

Now you might object that there might be security vulnerabilities that only the "bad guys" know about and which they keep secret. Nay I tell you. They could only keep the vulnerability secret by not exploiting it. If thousands of computers start getting compromised or encrypted connections tapped it's not like no-one will notice. There are people and organisations who study such things.

So if it's not known, it's not being exploited. Unless it's very new which is a special case. So, let me say again. The total number of security vulnerabilities in a program is not really important, only the number of known unfixed ones.

Now, people constantly discover security vulnerabilities in internet-facing programs. However, if your program is receiving security updates, and you download said updates promptly, the number of known unfixed vulnerabilities is kept under control, and can be kept at an arbitrarily low number depending on how fast the software maintainer fixes the vulnerabilities after they become known.

However, if you do not download updates, either because you don't think it's necessary or because you are using an ancient piece of software that's no longer supported by the maintainer, then the number of known unfixed vulnerabilities accumulates at a steady rate, potentially up-to the total number of vulnerabilities the software has (which may be in the thousands). So a previously somewhat secure program actually becomes insecure just because it's stopped receiving updates.

So, any piece of software that connects the the internet, or handles untrusted data, should be kept up-to-date.

Other thoughts

This post was inspired by people still using the 5-year-old and unmaintained Internet Explorer 8, which is the newest version available for Windows XP, which lots of people still use. There is lots of other media on the internet that discusses Internet Explorer 8 e.g. this article. If you MUST use windows XP then please install a web browser that still receives updates e.g. Chrome, Firefox or Opera. I recommend Firefox.

A far less important reason to keep internet-facing software up-to-date is for reasons of compatibility. Sometimes communication standards change, and when you have the old and the new trying to speak different languages it's a nightmare. Taskenizer for instance cannot work on old web browsers because it relies upon several recent internet technologies. I would have to re-write it from scratch to make it work older web browsers. And this blog gives users of Internet Explorer 8 a 403 Forbidden error and I don't even know why (probably lack of support for modern encryption technology).

I could probably fix this Internet Explorer 8 "Forbidden" problem if I threw a lot of time at it, but it would be kind of like a shop keeper putting a higher doorway on his shop to accommodate for people standing on stilts wearing tall hats with an antenna pointing out the top. People really should not be using Internet Explorer 8.