Consider that an operating system typically has more than fifty million lines of code.  If the source code for Windows was printed out it would be a thousand times thicker than War and Peace.  While a novel usually has a handful of sequential plots, the source code for an OS may have hundreds of interleaving logical threads jumping from one point to another.  The problem is exacerbated with a few more million lines of code for each program that you run on top of the operating system.  Clearly errors are inevitable.

When errors happen in source code the results are unpredictable.  Sometimes a piece of code can be made to do something that was never intended and this is what is known as a bug. Some bugs are harmless while others can be devastating.  If a bad guy discovers a bug and they can provoke the bug with repeatable and predictable results then that becomes an exploit and this is where the trouble begins.Part of the threat comes from so called zero-day exploits. Once the exploit is discovered it becomes a race for the developers to investigate, understand and fix the bug, and then to get that fix to all of their customers, against the bad guys distributing their malicious code to as many unpatched victims as possible. It’s very difficult to protect yourself against unknown threats but so far zero-day exploits have made up only a small part of the overall threat due to the high level of expertise needed to uncover new bugs.

Most malicious code targets bugs for which patches have already been released so in an ideal world most malicious code would be harmless because all of the bugs have already been squashed. Unfortunately the situation is far from ideal and a computer typically has software from more than a dozen vendors., meaning you will have to manage a dozen different patching services.

Understandably it’s a challenge to check for patches for every bit of software all of the time, but if you patch the biggest targets as often as possible (ideally at least once a month) then it will be far less likely that you will become a victim.  The biggest targests are commonly Microsoft, Mozilla Firefox, Google Chrome, Adobe Acrobat (PDF reader), Adobe Flash Player and Java. Keeping these up to date is a very good start. Many programs provide automatic patching services; if so I suggest you use them!

A free web service called Qualys BrowserCheck that I’ve personally found to be quite useful will inspect your browser, report on which bits are out of date and if possible provide links to update them.  If you use more than one browser you should run this in each one.  You don’t need to install anything, just click the ‘Scan Now’ link and it will take only a few seconds.

The usual disclaimer applies to software and services linked in this article.

If you’d like to know more about what we mean by exploits, check out next week’s post that looks at some examples of how they are distributed and the damage they can do…

Image Attribution: Thanks to Salvatore Vuono @ FreeDigitalPhotos.net for the images