December 18, 2009, 9:40 AM — Yesterday, Mozilla fixed ten security bugs in Firefox. If you haven't upgraded Firefox to 3.5.6 yet, you can do so now. I'll wait for you. Done? Good. You're better off than a friend of mine who, I discovered, was still running Firefox 3.0.0. His logic? It's Firefox and open source therefore it's still safer than, say, Internet Explorer 6. Oh dear.
Sorry, it doesn't work that way. He was right that open-source programs tend to be safer than proprietary programs. And, yes, he was right in thinking that the ancient IE 6 isn't safe at all. But, just because a program is open source doesn't mean that it's always safe, and an old program, no matter how it was made or who made it, is very unlikely to still be safe.
The simple truth is that all programs can be broken. Some, like operating systems, Web browsers, and commonly used office software are constantly being poked and prodded by crackers to find weaknesses. Therefore, when a vendor comes out with a security patch for whatever program it is that you're using, your best move is to patch your copy of the software as soon as possible.
Sometimes, as with the recent case of Adobe Reader, there is no patch and you have to work around the problem. But, more often than not, developers stay ahead by a nose in the race between programmers and crackers.
Except that is, after the programmers have released a fix. Then, the crackers know where the problems are and they can quickly release attacks that will work on the older versions of the programs. This is true whether a program is proprietary or open source. Once a program is patched, the clock is ticking and the longer you stay with out-of-date software the more likely it is that someone can get at you through it.
They won't be able to get at my friend though. As I told him his faith in open source software was touching, but misplaced. When it comes to securing software, the faster you apply patches the safer you'll be regardless of how a program was created.