As we know, the bad guys have benefited from flaws in software for several years, allowing them to infect millions of PCs around the world. Adobe Reader/Acrobat – one of the most notorious program for ease of exploitability - is still affected by malicious PDFs (last week a new zero day was found); but Adobe has made it more difficult to inject malicious code with the introduction of their sandbox system. In fact, people should update to Adobe Reader X and get rid of the 9.x version (still supported) which does not offer this added layer of protection.
It must be really hard for software companies that desperately want their users to update their systems and yet know that the vast majority won’t… Unfortunately, when systems are designed and built, many applications rely on a specific version of a program and if you change one thing it can cause a lot of disruption. While there is a chance of getting infected, some businesses will still take it and hope for the best.
In fact, not so long ago I was visiting a company that shall remain nameless and I was shocked by how weak their systems were. For some reason, they really had to use Java for one of their applications but on top of that it was a VERY old version (I’m talking several years old!). The IT guy shrugged and muttered “I know, I know” but insisted that it would cost more money to redo the whole program with a new version of Java rather than keep it that way. I suppose this COULD be acceptable if that was an internal machine with no connection to the world. But of course not, it was fully wired to the Internet and used for regular browsing.
Browsing the web for a few minutes with such an old version of Java is like walking down a dark alley at night with your pants around your ankles: Something bad is going to happen!
It doesn’t have to be that way though. I see a lot of people choosing the status quo for fear of breaking a system that has worked for years and trying to keep costs low. One thing I do recommend is to isolate things that do not need to run along side. If you must maintain a legacy system, put it inside a Virtual Machine (it’s free or very cheap). It offers great benefits such as immediate roll backs, snapshots, etc…
If you need proof that it is dangerous to use out of date software (and Java in particular), look no further. My friend Steven Burn recently mentioned a bunch of domains involved in Java drive-by’s.
And unfortunately for us, the Java updater does not always work very well. Although I try to make it a priority to keep my home computer up to date, the Java updater was not telling me that I was several versions out of date. I had to manually check it myself (Control Panel -> Java -> Update Now). You should do that too, you might be surprised.
If you work for a company that has several out-of-date programs, you should try to point it out to your manager. The traditional IT guys don’t like to be reminded of those things and seem to hate it when people tell them how to do their job.