Software Vendors Encourage Security Lapses

I am now convinced that computer software vendors, knowingly or otherwise, help perpetuate insecure computer practices. They do this by the ridiculous practice of pushing out updates through executable files which ninety-eight percent of the time will get blocked by the security software we encourage users to install on their systems. You get a notification that an update is available, and you click on the “update now” button and sit there and wait, and wait, and wait….

Then it suddenly hits you that the update process may not be working and sure enough, when you check the application log, a firewall blocked the download of an exe file – which is what we want our firewall to do. At this point, most users will either allow the download of the executable file, or those who have some form of central management will change their security policy to allow .exe files so they can update all computers at home or at work. The problem is that many do not remember to turn the policies back on or re-apply the block policy at the desktop level. What follows is a free-for-all for drive-by downloads.

I just spent the past week cleaning up computers that were infested with all kind of viruses and rootkits. Investigation revealed that security policies were relaxed so the client could “get rid of the damn popups”. There has to be a better way of pushing out updates than through exe files – and it is not enough for vendors to force “download managers” on users either because a centrally managed security policy will still block the executable file. It used to be safe to add vendor sites to safe lists, but with web address spoofing and hijacking getting more sophisticated, that is not as clear-cut as it once was.

Remember, we are talking about small business environments here. The big corporations have dedicated support staff that will take the update process through its paces and test to make sure they are safe before deploying to users. Small businesses do not have that luxury. Many are self-managed environments and most do not have the patience to vet every software that prompts for an update. Worse still, if the vendor is a “known” name like Microsoft and Adobe, they are trusted.