Three out of Four Adobe Reader users don't patch?
That's a self-selecting group, surely?
Anyone with the sense & know-how to religiously apply all Adobe patches isn't the sort of person to be running Adobe software in the first place...
Patching rates went down in 2016 despite an increase in availability of security patches, according to a new study out today. Last year Secunia Research at Flexera Software recorded a total of 17,147 vulnerabilities in 2,136 products from 246 vendors. Even though a big majority (81 per cent) of all vulnerabilities had patches …
Offer a starving man a moose-turd pie, and watch him hesitate. The typical "update", even (especially?) a "security critical" one is as likely to contain corporate or state malware as it is to actually fix something. To be fair, sometimes they do actually fix something, typically something a competitor (Google/Apple/MSFT/FSB) was using...
In an ideal world, "Security fixes" would be exactly, and only, that. No software equivalent of the "Omnibus puppies and motherhood (and indefinite pretrial detention and unlimited expense accounts for MPs) act". In the real world, modern software is so full of bizarre dependencies that it is entirely plausible that deprecating a particular encryption suite will break the ability to display cat videos in other than 4:3 aspect ratio, or some such.
Mike 16: Amen to that. I couldn't agree more.
Microsoft, Apple and the other software vendors have rather stupidly decided to poison the update mechanism with marketing-related "upgrades".
So yes, I will be aware that I am running a known-vulnerable version of software. I'll also be aware that if I choose to patch that vulnerability, I'll also get unwanted crap too - the new, secure, patched version will have also acquired the ability to show me adverts, "telemetry", mandatory TwitFaceGram integration, and as you mentioned, probably a state-sponsored backdoor or two as well.
0.00001% chance of being hacked (especially if I observe basic secure browsing habits) if I don't patch, vs. near-100% chance of my OS or app changing in unwanted ways if I do... gee, yes, I'd hesitate.
"0.00001% chance of being hacked (especially if I observe basic secure browsing habits) if I don't patch, vs. near-100% chance of my OS or app changing in unwanted ways if I do... gee, yes, I'd hesitate."
Not to mention that even average users using Android are becoming aware of data slurping when PlayStore app updates inform you that $simple_app now wants access to your phone ID, contacts list etc. so are being conditioned to be suspicious of all updates.
It's well known that infections spread best in monocultures.
Computer viruses, trojans and worms would surely follow that maxim.
Stay out of the monoculture, turn off all updates (and sometimes manually patch the occasional really nasty ones) and you'll be an unattractive target for the scriptkiddie's bot-botnets.
Not to mention the bloatware listed above requiring more and more memory and eventually a hardware upgrade....
Adobe makes patching hard, updates are well hidden on their FTP server. I use the free PDQ Deploy across my network to apply patches and [shameless plug] I have AuditQi a program I've developed to track the versions of apps I've open sourced this application under a GPL3 license, just google "AuditQi" for download info and the wiki.
This allows me to identify when patches are failing on some machines and need manual troubleshooting as they sometimes do and other useful machine related info memory, spare drive space etc.
Its also helpful in letting me know who is logged in and broadly what apps are most used. AuditQi does require running an agent on machines to collect info and a MySQL backend for storage so some setup is required but a dedicated server isn't. I'm hoping this might be of interest to some. [end plug]
Yes, patching has been poisoned by the vendors taking the piss and misusing the process..
Yes, aware members of the public may well be wary.
But most of the public are simply clueless. They don't patch their devices for the same reason they don't floss their teeth. A mix of ignorance and laziness.
Being fully patched, may expose you to MS FB and all the slurp factories, but it has the advantage, that you have a far smaller attack surface to worry about,
ie 22 vulnerabilities in a year rather than the 17,147
and it makes the script kiddies nigh on impotent, as they don't have the skill or inclination to go after the Zero-Days.