Manage Learn to apply best practices and optimize your operations.

How to protect employees from fake patches

Attackers are using fake patches to trick users into installing malicious software. Security expert Nick Lewis explains how to avoid the threat.

I'm hearing more and more about fake patches coming from supposedly reputable programs -- including Google Chrome and Java. How do these attacks work and what are some best practices I can instill to keep my users from installing fake updates?

Time and time again I have said that enterprises should turn on the auto-update feature if they are not going to actively manage any piece of software. However, this recommendation relies on software vendors using secure methods to push out updates and patches to their customers.

While it is a reasonable expectation from Microsoft, Adobe and other similar companies, software vendors without robust information security as part their software development lifecycle might not have sufficient protections in place to protect their customers. This process requires creating patches that can be verified to not have been modified and to have come from the legitimate source and then validated on the client system. Unfortunately, regardless of a company's precautions, there are instances of issues. Even Microsoft's Windows Update was subverted in the Flame malware attack, in which the malware used a fraudulent certificate to send out fake Windows update patches.

However, in the aforementioned cases of updates for Chrome and Java, the fake patches were not the result of attacking the auto-update capabilities; rather they used social engineering to trick users into installing malicious "updates." These updates used company logos and terminology to trick users into believing that the update was legitimately from a trusted vendor.

To prevent your employees from falling victim to such social engineering attacks, enterprises could prohibit users from installing software and software updates on corporate devices and have the IT department take care of all patching. Additional security measures organizations could implement include using a Web browser that checks against a blacklist for malicious downloads, employing a network-based antimalware appliance, or adopting a host-based security tool that can identify fake patches before they are installed and thus minimize the chances of a user being tricked by a fake update.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

This is akin to the phishing article I read a bit ago. As with any potential attack or quest for your information, you should know with whom you're dealing. If you have a fake patch come up, you should have the skill to evaluate if it's something you need to click on to install. In the Apple v. MSFT world, the first auto security patch for Apple came through the other day. As we Mac addicts start to get used to this type of software, we'll all be better off because the only time we'll get suspicious is if a patch asks me to activate it. And that's what this article talks about. So use common sense and think stuff through. When it doubt, go get your IT gal or guy. Or look it up. If you're getting a patch, there's a bunch of other people who are too. If it's a fake patch, there might also be a notice of that online by the time it shows up on your doorstep/laptop.