A patched browser - false feeling of security ?.. or ?

[arsenaloyal]

Kaspersky Lab's recently released "Global Web Browser Usage and Security Trends" report sparks several important questions from a security perspective:
Does the fact that (according to the study and third-party metrics services) Google's Chrome has the largest market share, make the Internet any safer?
Does it really matter if Chrome users get the latest updates delivered to them, in an attempt by Google Inc. to shorten the "window of opportunity" for a malicious attacker to take advantage of the security vulnerabilities that could be exploited in the old version of the browser?
Is Chrome the most secure browser on the market?
What's the current situational reality in respect to the most commonly used tactics by cybercriminals attempting to infect a targeted host, and is a version of a particular browser relevant to their practices?

More info here
http://www.zdnet.com/a-patched-browser-false-feeling-of-security-or-a-security-utopia-that-actually-exists-7000007541/

What do you think guys ?

 

[Deleted member 178]

Virtualization is my "motto" it is why i chose CIS v6, Shadow Defender and Chrome.

 

[arsenaloyal]

yes and i use sandboxie.

 

[Gnosis]

Patch this, patch that. Just give me a competent HIPS and BB, and I'll call it a day. For every patch that is released, there are 10 that are needed, or ultimately an infinite number. Hardly any of those bugs are known by the right people at the right time. It is even more rare that patches are released in a timely fashion, which defeats the whole freakin' purpose.

I don't even know why I allow MSFT updates anymore. I really believe it is pretty much useless, at least for XP.

 

[Prorootect]

Patch this, patch that. Just give me a competent HIPS and BB, and I'll call it a day. For every patch that is released, there are 10 that are needed, or ultimately an infinite number. Hardly any of those bugs are known by the right people at the right time. It is even more rare that patches are released in a timely fashion, which defeats the whole freakin' purpose.

I don't even know why I allow MSFT updates anymore. I really believe it is pretty much useless, at least for XP.

I think this same: Windows Updates are for me (on XP) useless. SP3 too useless.
Useless.

 

[Gnosis]

I think this same: Windows Updates are for me (on XP) useless. SP3 too useless.
Useless.

Ah. I see we are on the same page, yet again.

 

[Plexx]

If updates on windows and service packs were useless, they wouldn't be released right?

There are fixes on vulnerabilities and other issues caused and discovered through the life cycle.

An updated OS is more protected to its barebones core than an outdated OS, regardless if some updates seem useless. Perhaps one might consider or ask: Do you really know what do certain updates do/fix?

Sure it is an endless cycle but then again, when have you ever seen a perfect OS? Even Linux has updates and patches up to a certain degree (some distros with less than others), otherwise we would still be stuck with the first Ubuntu Build, the original Slackware and Fedora for example.

There is always justification for its actions.

Without even going as far as MS Updates, give me an example of a single build security software that has no flaws whatsoever. Can't because there isn't any.

 

[Gnosis]

If updates on windows and service packs were useless, they wouldn't be released right?

Maybe, but the timing of MSFT patches stinks. Timing is everything regarding patches, imho.
I don't mean to encourage others to ignore MSFT patches. I simply believe, esp. as far as XP goes, that they are mostly about PR, or avoiding blame, not so much effectiveness, as to avoid being exploited.

Without even going as far as MS Updates, give me an example of a single build security software that has no flaws whatsoever. Can't because there isn't any.

I absolutely agree. My point is that for every patch, there are always some that are needed that MSFT does not know about, and when they do know about them, they take forever to release the bug fixes. If I feel that they are getting the fixes out lighting fast, or as fast as humanly possible, I am fine with it. I know it is necessary. The gist is that there are many legit and illegitimate hackers out there that know about bugs, but for whatever reason, sinister or not, they never get reported to MSFT, which negates what patches MSFT does get out.
And before they even get those patches out, more bugs are discovered by potentially malicious people and may or may not get reported to MSFT in a timely fashion, or at all. And even if they do get reported, MSFT takes their sweet time in issuing them unless it is a hot new OS like Windows 8, and even then I am not so sure because, like you said, there are always bugs to be addressed in software. It never ends.

 

[Plexx]

I can up to a point agree with timing but then we have to consider: Nothing is perfect. There is already a balance between OS and Updates. If we just bombard the issues on timing that those are applied, forgetting the solely reason of updates being needed in the first place, you better off using the original Windows XP SP0 for example.

I'll just lay another example: Windows Vista, the known "failure" of MS after Windows Millennium Edition: Pre SP2 patch, was just a nightmare everywhere. Post SP2 is way more stable compared to SP0/SP1. There were updates needed for every aspect, ranging from security to compatibility to improvement in performance (Still somewhat questionable but regardless, it was improved). Sure it took them ages to release something that would make the OS more stable as opposed to when it first came out. Sure it discouraged tons of users to switch to xp. But then if you buy a second hand laptop for example from Vista time (which are still available in good conditions for many users around the world), chances of the buyer being an advanced user are minimal, which leaves the common user for surfing and Microsoft word/excel user. He will be perfectly fine on an OS while everyone says how Vista is bad, by forgetting the fixes that Vista saw on SP2 release and probably would never know because they simply did not want to know about it.

 

[Gnosis]

You make rational points. On this topic I will say that the masses should listen to you more than me. I just like to present worst case scenarios once in a while to keep people honest about certain realities.
As a general rule, people should gobble up updates from MSFT. I am simply exposing the false sense of security that exists in many minds pertinent to this topic.

I guess it is all about risk vs. reward. And you have nothing to risk in patching everything.

 

[Plexx]

There is a risk for the advanced user about patching everything. I have learnt that when SP3 for XP was first released. First day of SP3 released caused data wipes across the globe and within few hours it was taken off to have it fixed straight away and relaunch. Unfortunately I was one of the unlucky users. I had however everything backed up so it was ok.

I do not apply updates as they come. I wait a bit and research first before applying the updates.

The same for Graphics Cards for example: drivers updates are not simply to fix some vulnerabilities. There are updates that will allow games to be run smoothly and fix issues that are not related to the publisher/developer of the game.

Take FarCry 3 for example: Nvidia cards dont have full patch yet and I can't even run that game on DX11. Reason being that's a game focused on AMD cards

As a general rule: bugs will happen regardless: You fix something that causes a chain reaction. That is the issue of imperfect. Unfortunately nothing is perfect in life and chain reactions are visible in every aspect of life, not simply on software coding.

 

[Gnosis]

I do not apply updates as they come. I wait a bit and research first before applying the updates.

As do I. Good thinking.

First day of SP3 released caused data wipes across the globe

Ouch.

As a general rule: bugs will happen regardless: You fix something that causes a chain reaction. That is the issue of imperfect. Unfortunately nothing is perfect in life and chain reactions are visible in every aspect of life, not simply on software coding.

Ah. The gist. That is wisdom.

 

[arsenaloyal]

but patching is important to plug any loopholes in a particular software, be it MSFT or Adobe or java.

 

[Plexx]

but patching is important to plug any loopholes in a particular software, be it MSFT or Adobe or java.

The point ZOU is making is the time for patching, not so much the importance, as you can read above, as opposed to the personal opinion of Prorootect which simply believes that XP SP3 is a waste of time and refuses to understand that it does have security fixes over SP2.

 

[tipo]

I think this same: Windows Updates are for me (on XP) useless. SP3 too useless.
Useless.

Ah. I see we are on the same page, yet again.

same here guys! i have disabled the wuauclt service for a loooooooooooong time! (XP SP3 HE x86)

 

[Gnosis]

same here guys! i have disabled the wuauclt service for a loooooooooooong time! (XP SP3 HE x86)

I am tempted, but I have not done so. My Malware Defender HIPS always detects it. I keep allowing and keep the service going despite my issues with patches not being released in a timely fashion, potentially.