Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

The main recipe for avoiding a thousand ills

Read: 64 Comments: 3 Rating: 5

Everyone knows how to protect a system from vulnerabilities—install updates in a timely manner. But the problem is that vulnerabilities exist in large quantities and more of them appear every day; meanwhile, the number of programmers available to patch them is limited.

That's why after a vulnerability is analysed, security researchers assess its severity level and how much time and effort will be needed to patch it. After that, the corresponding tasks are added to development projects so that the security patches get released.

Bear in mind that patching a loophole costs money. Company developers, testers, technical writers and even spokespersons are all involved with the release of a security patch.

There are different kinds of vulnerabilities. Some of them can be exploited by ordinary users. Leveraging others may require considerable skill. That's why companies approach the problem as follows:

Microsoft published its Security Servicing Commitments for Windows in which the corporation outlines its policy regarding security issues in its operating system. Specifically, the document outlines security servicing criteria that Microsoft will use to determine which vulnerabilities must be patched.

The paper sets forth two evaluation criteria:

  • Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?
  • Does the severity of the vulnerability meet the bar for servicing?

Answering "yes" to both questions means Microsoft programmers will work on the problem and a corresponding fix for all supported products will be released as soon as possible.

If the answer to either question is no, the company will postpone closing the vulnerability until before the next version is released. It will not be addressed through a security update, although in some cases an exception may be made. The document also defines severity categories for vulnerabilities: Critical, Important, Moderate, Low, and None. The company undertakes only to address vulnerabilities belonging to the Critical and Important categories.

https://www.securitylab.ru/news/493941.php

So even if you have installed all available updates, vulnerabilities may still exist in your system:

  • Vulnerabilities that are known neither to hackers nor to the developers;
  • Vulnerabilities that have been discovered by hackers but aren't yet known to the developers.
  • Loopholes that the respective developer is unwilling or unable to patch.

Take Windows XP and Windows 7 as an example. They are known to have vulnerabilities, but security patches are seldom released for these operating systems.

Dr.Web recommends

Neither updates nor vulnerability scanners can guarantee that no loopholes exist in your system. That's why you need to use other means to protect it from attack—restrict user permissions and maintain control over the programs being launched. And, of course, install an anti-virus that will thwart hackers' attempts to exploit known and unknown vulnerabilities.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments