As IT security blogger Brian Krebs reports, last week saw a wave of critical security updates to Microsoft Windows, Java, and two Adobe programs.
Your clients might not realize that by delaying an update they can expose their business to cyber attacks. Security updates need to be implemented immediately because patches provide hackers with a road map that shows exactly how to attack old versions of software.
How do you convince clients to update software and use only current versions? Try a metaphor. Tell your clients to think about a software patch or security update the same way they would think of a recalled feature on their car.
When a car manufacturer recalls a product, they fix the defect for free. Everyone loves getting something for free! Software updates function the same way. Developers realize there's a flaw in their software and offer to fix it for free via an update.
Let's take a closer look at the security flaws that were fixed in the latest Windows, Java, and Adobe updates.
What IT Consultants Need to Know about New Vulnerabilities in Windows, Java, and Adobe
Each of these patches fixes significant flaws that could allow hackers to remotely access your clients' data. In fact, Microsoft's vulnerabilities (detailed below) have already been exploited, which means that malware already exists that can give hackers access to your client's network.
Make sure your client's take these security vulnerabilities seriously and download the following patches:
- Microsoft Windows updates. Dozens of flaws were fixed for Office, Explorer, .NET, and other Microsoft products. These vulnerabilities are significant and have already been exploited in a series of high profile attacks. The Washington Post reports that these vulnerabilities were used in recent cyber espionage attacks against NATO. By using a spear-phishing campaign, Russian hackers were able to trick NATO users into opening an email that contained a malware-infused Word doc.
- Adobe Flash Player and AIR software updates. Adobe's security bulletin announces new patches to fix Linux, Mac, and Windows versions of Flash and Adobe AIR.
- Java patches. Everyone's favorite InfoSec punching bag Java is being updated again. Oracle's update will fix over 22 remote access vulnerabilities, an astonishing number even for the notoriously porous platform.
Java Vulnerability Case Study: Why Are Businesses Still Slow to Update Old Software?
Java applets are particularly notorious for allowing hackers to gain access to a user's data. Yet, despite its reputation, many businesses still use old versions of Java that contain known security flaws (for more on Java's troubled history, see: "Stale Coffee: Old Versions of Java Expose Programmers to Cyber Liability").
While many security researches suggest that users completely uninstall Java, this often isn't an option for businesses that rely on legacy software. Workflow at small- and medium-sized businesses is sometimes completely integrated with the ancient software they depend on. Worse, some small businesses simply can't switch to new software because it doesn't exist for their specialized market (or is cost prohibitive).
As an IT consultant overseeing a company's network, you're liable for its security, which includes security for outdated applications or legacy software. (To learn about covering your lawsuit risk, read about Errors and Omissions Insurance for IT). In order for an IT consultant to limit their risk exposure, they'll need to teach their clients the importance of installing software patches as soon as they're released.