By Mid of April 2014, Microsoft is set to release a patch for a “zero-day” vulnerability. When I asked some of my friends if they had heard the term “zero day”, a few of them said they had. When I asked them what the term referred to, they thought it meant “The number of days until you’re hacked”. Close, but not quite. It actually refers to lead time in an arms race.
One way that hackers can compromise your computer is by exploiting bugs in the programs you use every day. These bugs are called vulnerabilities by security geeks. Software companies are constantly testing their products looking for these bugs, and when they find one, a couple of things happen. First, the company starts working on a fix in the form of a software patch. The second thing is hackers start making malware and viruses to take advantage of the bug. In other words, once a vulnerability is found, an arms race starts. How much time does the company have to patch the hole? Can the company issue a fix before the hackers use it to attack you? Most companies don’t even reveal the weakness until they have the patch ready, but sometimes the sneaky bad guys find out.
Frequently, it is not the software company that finds the bug, but the hacker himself. Some hackers do nothing all day but look for vulnerabilities in popular software. When they find one, they can secretly start working right away on malicious code to take advantage of the bug. How can a software company create a patch if it doesn’t even know the vulnerability exists? In this case, how many days of lead time does a company have to create a fix? Zero! How much time does a user have to patch their system before being exposed to the malware? Zero!
Sometimes it seems like there are too many things to consider when thinking about the security of your home computer(s), but a relatively easy way to greatly improve your odds is simply keeping the applications you use up-to-date. Many programs provide automated tools to do this. For those that don’t, tune in next week for another tip.