In The News‎ > ‎

Summer of Patches

posted Jul 21, 2015, 1:07 PM by Craig Cox   [ updated Jul 22, 2015, 6:20 AM ]
In late June, an Italian company calling itself Hacking Team found that its corporate network had been compromised and about 400Gb of data was stolen.  Hacking Team is in the business of selling hacking software to governments and law enforcement agencies, including governments with poor human rights records.  In the best cases, law enforcement agencies used the software under search warrants to gather information on suspected criminals.  In the worst cases, repressive governments identified and punished political dissidents.  News of the attack thus cause a lot of schadenfreude, and a lot of mixed feelings among security practitioners -- an illegal act perpetrated against what many considered to be a rogue company.

Approve or not, the data revealed in the breach has caused a lot of scrambling.  Three Adobe Flash exploits, used as part of Hacking Team's product, were made public and patches were issued last week.  This week Microsoft issued an out-of-schedule patch for all versions of Windows to correct a flaw that Hacking Team had been using.  Other software providers have also had to issue patches.  There is no reason to believe that all of the bugs have necessarily been found and fixed.  We should continue to expect new discoveries, and of course the Hacking Team breach isn't the only source of new vulnerabilities.

While it is always important to keep up with your patches, this breach really throws the spotlight on why.  You, the legitimate computer owner, are in a race against the criminals to patch the vulnerability before the bad guys use it against you.  Worse, the crooks get a head start, because they found out about the vulnerability at the same time as the companies who have to write the patch.  You only get to defend yourself once the company releases the patch.  (Edited to add:  Want a few more details about applying patches?  Read over the middle column of the Basic Precautions page.  This isn't just a Windows problem!)

(Second edit 7/22:  Yesterday's desk calendar comic was on point.)

Delaware Tech's IIT group (formerly DIET) will push these patches out to all domain computers.  You need to make sure that you apply them to your home computers.

Over the long term, Delaware Tech hopes to replace all flash content with more recent, secure technology.  This is not a trivial project.  When your browser warns you about (for instance) the announcements page, please understand that people are working behind the scenes to make that service available without flash.  It's just going to take time.  Even Youtube, which as of January has switched from Flash to HTML5 as a default, still has videos up that prompt for flash.