Internet Survival Skills 101 – Automatic Updates


SOHO (Small Office / Home Office) users face a special set of challenges securing their computers due to the lack of a trained IT staff to manage their systems. While you may have enabled Automatic Updates on your Windows computer, can you sleep tonight knowing that you are one step ahead of the bad guys?


Automatic Updates are a good start, but this service is far from comprehensive, even for Microsoft’s own products. You’ll need to visit the Office Update site to keep your MS Office products up to date, although we have seen some critical updates to Office products pushed via Automatic Updates recently.


Even with a visit to both sites your Microsoft products could be vulnerable. Take the GDI+ vulnerability as an example. This Microsoft defect has the potential to cause significant damage to Microsoft Windows computers via two simple vectors: viewing HTML email in a preview window with images not blocked and viewing JPEG attachments.  Using Microsoft’s tools to mitigate this vulnerability left a number of systems we’ve examined recently only partially patched. SANS has made available a convenient tool to scan your computer (Windows 2000 and up) for vulnerable GDI+ code.


Recently Microsoft put up some pages with links to more patches that could be needed to fully protect you from the GDI+ vulnerability - albeit with a little detective work and elbow grease.


Third party applications present yet another set of challenges. Commonly installed software such as Adobe Reader, Real Player, Winamp, instant messaging applications, mail clients and web browsers have been reported to be vulnerable to a variety of exploits that could allow an attacker to take over your machine.  Examine Firefox, a browser often suggested as a safer alternative to Internet Explorer.


Keeping up with these issues means using the update feature of each individual third-party product, checking those vendors websites for the products you have installed, and/or subscribing to security newsletters or checking one (or more) of the security sites which publicize these vulnerabilities:


Frank Boffey, CISSP

RE FormsNet, LLC