You might be one of those people who always update their devices as soon as a patch comes out. Maybe you like to wait a while to let the inevitable “Version x.y.z broke my wifi” niggles get resolved; perhaps you even take the view “if it’s not broke, don’t fix it!”. Whatever your appetite for risk, there is almost certainly going to be some vulnerability that you are exposed to and there’s little you can do to avoid it.
Lets take an example. Let’s say you have an iPhone running a flavor of iOS. Not so long ago, it used to be that Apple products boasted there was no need for security protection. Apple even used this in their marketing: “MAC vs PC Commercial – Viruses” (Apple Videos, 2007)
But time has moved on and the bad guys eventually realized there were a growing number of people out there with unprotected devices just aching to be exploited. In the case of the iPhone, there are plenty of ways for others to get their hands on your cash, your identity or just your messages and contacts.
We all now know that iPhones are no longer the once fabled secure place that even the FBI can’t invade; a sort of digital embassy where its digital citizens can feel secure from hostile interests. The San Bernardino iPhone put a stop to that idea. The phone was reportedly unlocked using a zero-day exploit: “FBI vs San Bernardino iPhone Case cracked by hackers zero day” (Smith, 2016)
Zero-day exploits are weaknesses in systems that are either unknown by the vendor or not yet patched in the wild. A bit like going out, remembering you left a window open and then trying to get in touch with your neighbor who has keys to enter your home and close it before you are robbed.
Security researchers are constantly looking for these zero-days exploits to get them confirmed and published as quickly as possible. If you want to see how vulnerable you really are before Abobe, Apple, Microsoft or other vendors decide to warn you, you need to take a look at the CVE database.
The Common Vulnerabilities and Exposures (CVE) database houses a dictionary of cyber security vulnerabilities you really need to know about if you are going to make informed decisions on what risks you choose to tolerate and those you cannot. You can search by keyword or by providing a CVE identifier. Each identifier refers to an individual reported vulnerability (CVE, 2015).
Another, slightly more detailed resource that is linked to the MITRE database is here: (MITRE, 2016)
This site is particularly good for visually spotting trends in known cyber security issues. Take a search for Apple iPhone’s iOs:
Ignoring the partial 2016 results, there is a clear upward trend in iOS vulnerabilities.
So imagine you see a notification pop up telling you to update your phone. What’s the risk if you don’t? Let’s say you check out the update on Apple’s website:
Source: Apple Inc. (2016)
Is Apple telling us everything here? Let’s look up the CVE number CVE-2016-1734. We can look this up on MITRE’s website and this will give you a little more independent detail that the Vendor may provide on their own page (bear in mind that no vendor likes to admit there are weaknesses in their products).
Lookup the CVE identifier on the cvedetails.com website we find:
This informs us of a total disclosure of system files, a total compromising of the system, rendering the system (your phone) unusable without any credentials being needed. From the same page you can also check what other risks you are taking from the same version of iOS. Clicking on the Vulnerabilities link for iOS v9.2.1:
This leads to a page of 38 other issues (at the time of writing) with iOS 9.2.1, colour coded with red, amber and green to given a threat score.
So before you ignore that update notice on your laptop, phone or other device, at least be more informed about the risk you are taking.