Other issues in this category (29)
The main recipe for avoiding a thousand ills
Everyone knows how to protect a system from vulnerabilities—install updates in a timely manner. But the problem is that vulnerabilities exist in large quantities and more of them appear every day; meanwhile, the number of programmers available to patch them is limited.
That's why after a vulnerability is analysed, security researchers assess its severity level and how much time and effort will be needed to patch it. After that, the corresponding tasks are added to development projects so that the security patches get released.
Bear in mind that patching a loophole costs money. Company developers, testers, technical writers and even spokespersons are all involved with the release of a security patch.
There are different kinds of vulnerabilities. Some of them can be exploited by ordinary users. Leveraging others may require considerable skill. That's why companies approach the problem as follows:
Microsoft published its Security Servicing Commitments for Windows in which the corporation outlines its policy regarding security issues in its operating system. Specifically, the document outlines security servicing criteria that Microsoft will use to determine which vulnerabilities must be patched.
The paper sets forth two evaluation criteria:
- Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?
- Does the severity of the vulnerability meet the bar for servicing?
Answering "yes" to both questions means Microsoft programmers will work on the problem and a corresponding fix for all supported products will be released as soon as possible.
If the answer to either question is no, the company will postpone closing the vulnerability until before the next version is released. It will not be addressed through a security update, although in some cases an exception may be made. The document also defines severity categories for vulnerabilities: Critical, Important, Moderate, Low, and None. The company undertakes only to address vulnerabilities belonging to the Critical and Important categories.
So even if you have installed all available updates, vulnerabilities may still exist in your system:
- Vulnerabilities that are known neither to hackers nor to the developers;
- Vulnerabilities that have been discovered by hackers but aren't yet known to the developers.
- Loopholes that the respective developer is unwilling or unable to patch.
Take Windows XP and Windows 7 as an example. They are known to have vulnerabilities, but security patches are seldom released for these operating systems.
Neither updates nor vulnerability scanners can guarantee that no loopholes exist in your system. That's why you need to use other means to protect it from attack—restrict user permissions and maintain control over the programs being launched. And, of course, install an anti-virus that will thwart hackers' attempts to exploit known and unknown vulnerabilities.