There are certain things in the tech world that go from Myth A to Myth B. The “ghz” myth is one of these things – a CPU’s clockspeed is measured in ghz and people used to use this as the go-to benchmark for determining performance and they’d ignore everything else. Now people go around saying that “ghz” doesn’t matter at all, which is equally stupid.
I see this with patching. Patching used to be the go-to practice for keeping an application secure. A program that was quick to patch was more secure and that was a way to measure security. Now people pretend that patching doesn’t matter – that if you use techniques like ASLR/DEP and you sandbox your applications you don’t need to worry. I see this all over.
This is incorrect. Patching is an invaluable layer in any security setup and I think the latest Chrome exploit shows why.
Google Chrome makes use of ASLR (very strong ASLR), DEP, and SEHOP. It has a fairly finely grained sandbox for each process on Windows. It’s a nice mixture of policy and technology.
And yet it’s still hackable. No matter how much policy you have it will have flaws. No matter how many memory techniques you implement there will be backdoors. Do those methods make things way more secure? Absolutely – there’s never been a single exploit in the wild that bypasses Chrome’s sandbox, even their relatively weak Flash sandbox.
But if you’re looking for security in depth you’d better patch because if you’re running Chrome 14 there’s been a thousand holes since then and it’s simply a matter of chaining the right ones together.
And this applies to everything. In Linux I’m running Chrome, which implements an incredibly secure sandbox, which is highly reinforced by the patches I make to my kernel. But if I’m running a super old unpatched version of Chrome all an attacker has to do is google for some exploits and chain it all together.
The cost of attacking a user is drastically lower when the exploit code is already available and there’s documentation on the vulnerability. By patching you force the attacker to find a new vulnerability, and in the case of a program like Chrome you actually end up forcing them to come up with a dozen vulnerabilities.
There is one simple reason why the entire threat landscape would have to change if Linux were suddenly the most popular OS. It’s not some magic memory technique or sandbox, it’s patching. All of my applications are always up to date on Linux, on Windows they aren’t. And hackers take huge advantage of that.
So do yourself a favor. Keep your system up to date.