Automatic Updates Are The Future

Kaspersky’s Q3 IT Threat Evolution Report was released last week and although reports like these are typically used as marketing fluff by vendors they still provide interesting insights.

Mobile Threat Landscape

Since iOS data is hard to come by. The report only focuses on Android devices.According to the report Gingerbread is the most attacked installation of Android.

Android 2.3.6 “Gingerbread”, which accounts for 28% of all blocked attempts to install malware, was the most commonly attacked version. It is not new: it was released in September 2011.

Although Gingerbread isn’t new, it isn’t old either. An OS for a mobile device released 13 months ago shouldn’t be considered old.

But can an Android device be easily updated? Why are Android users not installing the newest version of Android? Do you need to pay for the newer version? Is it hard to update?

No! Android devices can be upgraded through the settings without having to pay for the new version. Here is how simple it is!

So, you’ve updated your phone because security is always an afterthought and newer versions of software are more secure than earlier versions. Awesome! Oh wait.

Attacks of cybercriminals in Q3 most commonly targeted Android versions 2.3.6 Gingerbread and 4.0.4 Ice Cream Sandwich

So upgrading to newer Android versions aren’t protecting you from attacks. So, how is malware getting installed on these newer versions of Android?

Attackers are sufficiently good at bypassing restrictions on installing software from untrusted sources, primarily using social engineering techniques.

and

These two types of malware are mostly distributed via so-called alternative app stores created by cybercriminals [sic].

So it’s the users fault. Don’t install software from untrusted sources. Only install software from the app store. If you try to get around paying for the software by downloading a pirated version you will eventually pay for it by having your phone owned.

Desktop & Microsoft

Desktops on the other hand aren’t owned by users downloading malicious software. They are compromised by drive-by attacks. Drive-by attacks are attacks the user doesn’t need to interact with.

Microsoft products were very susceptible to drive-by attacks and used to be a huge target. This is no longer the case.

Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.

From this snippet of information, Emil Protalinski stated the Microsoft security team is killing it. Not true. The report points out Microsoft is still being owned.

Exploits targeting vulnerabilities in the Windows Help and Support Center, as well as various Internet Explorer (IE) flaws, accounted for 3% of all attacks. Specifically, a new vulnerability (CVE-2012-1876) was discovered in Q3 in IE versions 6-9.

I understand Microsoft isn’t on Kasperky’s top 10. But that doesn’t mean the Microsoft Security team is doing awesome. It’s because attackers are focusing on plugins. Plugins give attackers a larger market size to attack. Plugins allow attackers to target multiple platforms at once. The report even says this.

Java exploits are sufficiently easy to use under any Windows version and, with some additional work by cybercriminals, as in the case of Flashfake, cross-platform exploits can be created. This explains the special interest of cybercriminals in Java vulnerabilities.

Automatic Updates FTW

The report suggests users and organizations can protect themselves by installing updates.

Our advice is that users should install updates of popular programs as they are released and use up-to-date protection against exploits, and companies should also use Patch Management technologies.

However, the whole reason why Microsoft isn’t on this report is because they implemented an automatic update system.

Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.

Even the automatic update system in Adobe Reader is helping circumvent users being attacked.

The popularity of exploits for Adobe Reader is gradually declining due to a realtively [sic] simple mechanism that ensures their detection, as well as to automated updates introduced in the latest versions of the Reader.

Both mobile devices and desktops can benefit from an automatic update mechanism. So, is the solution that users and organizations should install updates or the updates should install themselves?

Although mobile devices don’t have automatic updates yet, it should be on the horizon. I’m still surprised I have to manually update iOS apps. Why am I required to go into the app store, click updates, and then type in my password to install them. Wouldn’t the device and experience benefit from applications being automatically being updated?