Ghosts of Software Past: How Neglecting Updates Can Come Back to Haunt You
by Gennie Harris
"In this world nothing can be said to be certain, except death and taxes...and software updates." -Benjamin Franklin
Okay, so maybe I added that last part on, but it's true: in a world that surrounds us with ever-changing technology - in which we're constantly assaulted by new versions that work better, faster, and more securely - you can always count on being out of date with something. When we fall a little behind the technologies around us, though, we are vulnerable to attacks by all kinds of software spooks. These incidents can take many different forms; here are some stories from around the Singlebrook office about the different ways that neglecting software updates can come back to haunt you, along with some tips at the end for staying up to date.
Oh, and just in case you're wondering if I'm actually qualified to talk about the consequences of falling behind on software, here's an embarrasing story of my own to start us off:
In Which Gennie is Haunted...by her own Stinginess
In the spring of 2012, during my junior year of college, I started buying my textbooks as e-books to save some money. One of the first books I bought, Rock Music Styles by Katherine Charlton, was a beautiful print replica - its pages looked just like the paper version, with full-color images and illustrations. I downloaded the e-book, thrilled at how much money I would be saving, and went to open it on my Kindle...only to realize that full-color e-books can’t be opened on the traditional Kindle. Okay, I thought, only a minor setback...So I tried opening it on the Kindle Desktop App for Mac - only to be greeted by the message that my Kindle App was out of date and would have to be updated in order to view the book. After a few more grumbles (This was supposed to be an easy process) I downloaded the newest version of the Kindle app...which couldn’t be opened on my operating system.
See, I was still running OSX Leopard, which came with my Macbook Pro in 2009 when I purchased it; I’d been reluctant to shell out the money for an upgrade despite the fact that the newest version was now Lion, two steps ahead of my own. In short, this e-book purchase - which was supposed to save me money - carried the hidden cost of an operating system update - and ended up costing me more money than I would have spent on the paper version of the book.
Sure, I could have returned the e-book and bought the traditional hard-copy version instead, thus avoiding the upgrade costs - but if I was having this much trouble with a simple e-book, I shuddered to think what other problems could be looming on the horizon if I didn’t bite the bullet and update my machine.
Phantasm Pharmaceuticals
You’re looking for some information on a well-regarded non-profit organization, so you type their name into your favorite search engine. The first search result seems to match exactly what you’re looking for, except...what’s this in the description? Buy Cialis in Australia? That...doesn’t seem like the site you’re looking for after all.
A new client came to us recently with this exact problem, to their complete horror. After some thorough investigation, we discovered that it was a fairly common WordPress hack - almost always caused by an out-of-date WordPress installation or other plug-ins that need updating. What took hours of combing through their database and searching through theme and plugin files - not to mention the process of re-indexing on major search engines and the negative impact of having a compromised site for a time - could potentially have been prevented with a simple software update.
Gone in a Flash
Let’s say you’re part of an organization that offers a couple of fairly extensive computer-based training courses via your website. Users can choose the way they navigate these courses, and then watch videos and listen to audio while occasionally responding to questions. Through all of this, they can track their progress and see updated content based on what they’ve done in the past. Your users have found this site very useful and effective, and the user interface seems to function pretty well. That is, until you’re presented with a new niche audience who want - or even need - to access your courses via iPad and other mobile devices, and then the fact that your entire site is Flash-based suddenly makes everything really tricky.
Now the task of making your site usable for your intended audience adds up to hundreds of hours of work converting and migrating the content to a new HTML5 version. Yes, the process is probably going to be expensive and take some time, but your only other option is to disregard the needs of your users. This is one of those strange cases that isn't even about neglecting updates, but rather about having to change technologies completely to adapt to changing trends - though no one is at fault, it's important to recognize the need for the switch.
Spammed by Specters
Have you ever had one of those moments where, in rationalizing forgoing a tiresome chore, you simply thought, “What’s the worst that could happen?” Well, the field of web programming has taught us time and time again that the answer is always, “Something really really bad.”
Take, for example, a ColdFusion security opening that the National Vulnerabilities Database released in January of 2013 with the severity rating of 10 out of 10 - this vulnerability was easily exploitable, could be accessed over the network, and didn’t require any form of authentication; in short, a painfully serious security risk.
Fast forward to this summer, when one company got hacked through this same vulnerability, leaving link spam and other vandalism strewn across their site; but as with most security openings, it was difficult to know what other damage had been done. When they came to us for help, we had to take their site - and the database it relied on - down immediately, and then advise them to hire a security firm and notify their users that their credit card data had been compromised. And thus, what could have been solved by simply applying a patch turned into a costly, time-consuming mess.
Some Sites Can't Be Revived
Another client came to us recently, desperately clinging to the remains of their site in what can aptly be described as the Titanic of upgrade horror stories. Their site was a custom-built storefront that was based off a widely used e-commerce system; since its creation about half a decade ago, however, they hadn’t been notified of any security issues and therefore hadn’t had any maintenance performed on it. After years of smooth sailing, they started running into small issues a few weeks ago, as users reported receiving antivirus warnings when clicking on "Buy" buttons throughout the site. As they started to investigate, they realized that this was only the tip of the iceberg (pardon the extended metaphor) - there had been a security vulnerability for a long time, and it was broad enough that there was no way to tell what had been done. Though they lucked out in using a solid commerce system (and therefore not storing their customers’ financial data on their own servers), the damage was so extensive that the most cost- and time-effective choice ended up being to build an entirely new site from scratch.
This case presents an interesting moral - though everyone wants their site to stand out among the crowd, if the system behind that site is too customized, it may be significantly more difficult to upgrade...and you may not even be notified when upgrades are necessary. Furthermore, though staying updated is always important, when using a storefront or other site that deals with sensitive customer data it is especially crucial that you keep up to date.
On Dealing with Program Poltergeists
Upgrading software can be painful, costly, and time-consuming. But the alternatives - security vulnerabilities, incompatibility with other software, ostracized users, security liabilities, things mysteriously breaking for no apparent reason, and did we mention the security risks? - are far worse. Luckily, there are some simple steps you can take to avoid these pitfalls - and to minimize the damage when they do occur.
Update Early and Often
It may not always be feasible to upgrade an entire system immediately when the next version comes out, but for smaller software updates you should always try to stay on the ball. The consequences of avoiding an update may not be apparent immediately, but the further out of date you are, the more likely it is that things will stop working as they should; and when you try to find a fix for an out-of-date piece of software, you'll find it a lot more difficult to find the support you need.
Save Ahead
Sure, building a new website or program can have a lot of upfront costs that seem more important than the hazy concept of “updating at some point in the future,” but setting aside money for upgrade work right from the start can save future-you from major headaches. It’s almost inevitable that you will have to upgrade at some point, so being prepared will make the process that much easier.
Listen to the Experts
If you aren’t a developer yourself, but instead work with them in some capacity, upgrade your software when they advise you to do so. The further removed you are from a program, the harder it is to see the clear-cut benefits to upgrading (and easier, therefore, to see the reasons to avoid doing so). And, hand in hand with this, if you’ve done long-term work with a development team that has never before advised you to upgrade, find a new team.
Your programmers should be your personal ghostbusters when it comes to software updates.
Share Your Software Ghost Stories
Do you have an epic tale of banishing a program phantasm or defeating a zombified system? Have you found any secrets to avoiding these hauntings or solving them when they come up? We'd love to hear from you! Leave a comment and tell us about your own encounters.
And remember, as important as it is to hunt down the ghosts of software past, you don't have to do it alone. If you're searching for your own band of programming ghostbusters to help you navigate the dark, windy roads of web programming, we're here to help. Contact us to learn more!
Happy haunting!