It’s a constant mantra in the IT world that you absolutely must keep your Internet connected systems up to date. This patch for your operating system. That bugfix for your browser. These upgrades for your instant messaging software and seemingly endless updates for your anti-virus software. It can be a little fatiguing at times, but, outside of actual program revisions — things like jumping to from actual different versions of operating systems or major, feature-different iterations of application software — it’s generally advisable to upgrade as soon as possible, if only because one of the highlighted fixes that usually come through with new releases are security fixes. Software isn’t perfect, and it’s a sad truth that if there’s something that can be exploited within it — and especially if it can be exploited for money — then chances are it will be.
So you update frequently, making sure that you’re entirely up to date. But have you ensured that you’re getting the updates directly from the source? That’s just as important as actually performing the update process, simply because it’s all too common for malware to pose as legitimate software updates — and even more sneaky for it to do so. You figure you’re entirely up to date, but in fact your system is even more vulnerable than you thought, because it’s not only not patched, but also actually compromised. Oracle’s Java platform recently fell foul of this, problem, not quite despite Oracle’s lack of patching, but realistically almost because of it.
Java’s been something of whipping boy for the security community, and many advise simply disabling it in your browser. There are legitimate functions that still rely on it, however, and Oracle did a lot of work fixing bugs recently with a large update (http://java.com/en/download/index). That legitimate was spoofed by malware pretending to be the correct software (http://threatpost.com/en_us/blogs/security-firms-warn-users-fake-java-updates-012113), leaving users who may have tried to update with no update at all, although the fact that the fake update wasn’t published by Oracle should have been a bit of a red flag to them. This kind of deception in malware is nothing new; it’s the same tactic behind dodgy emails claiming to be from your bank, eBay, Telstra or that unusual Nigerian prince who seems to have an awful lot of money for you. In the case of the emails, though, you should just hit delete. For software updates, send your browser directly to the original update source (if it’s not indicated within the application itself) — anything else is rather risky.