Are Security Updates necessary behind a router?

Question

Are Security Updates necessary behind a hardware firewall like a router which doesn't has any open ports. The question applies to whatever the operating system is, say Windows, Linux, Android..

My Use case is:

• I only browse legitimate websites, that are not malicious. The chances of going to a malicious website is nil.
• I don't run any server on my PC. Actually, all the ports on the router are closed.
• I don't have adobe flash installed. Flash content and JavaScript are already blocked in browser.
• I use standard user account for most tasks. Administrator account is rarely used.
• Nearly all of the third party applications I install are open source.
• I don't use Microsoft branded applications even on windows7 eg:MSOffice.
• For browsing I use Mozilla Firefox and keep it up to date.

So, are operating system security updates really necessary in my use case. Explain please..

Just saying vulnerable applications or OS and keeping them up to date is not what I want to hear. I want to know how vulnerable application can be insecure.

Apart from browser based insecurities, are vulnerable applications really a concern. Say I had an open source application that is years old and can connect to Internet for some genuine service. Can it be exploited to break the system security.?

Answer 1

Yes - in addition to the SSL downgrade type attacks etc mentioned by @Mark, you may want to rethink "The chances of going to a malicious website is nil.". Even if you do not go to a malicious website, Malware is often hidden in adverts for legitimate sites, and you could still be hit while browsing a reputable site (add blockers can help here, but probably not totally eliminate the risk).

Another attack vector is the "Open Source" software you install. While the software is open source, that does not mean its malware free - if anything it means there is, unfortunately, a higher risk of malware being distributed. Some high profile sites associated with Open Source distribution take common packages, rebundle them with their own installer and add "borderline malware. Don't believe me ? Look here (additional references here and here) to read about Sourceforge doing this, here to show CNET has done something similar, here to see reference to download.com doing something similar.

It is theoretically possible for a program which is thought to be secure to be compromised when it makes an outbound connection. The outbound connection could fetch data which in turn operates/affects your local machine. This might require an overflow and/or MITM attack, but conceptually much malware works this way.

Answer 2

You've eliminated the common sources of security holes. The problem is that when the next exploit targeting a less-common source happens (eg. the EMF printer escape vulnerability or the SSL downgrade attacks), you'll get hit by it because you'll be far behind on your updates.

Answer 3

Yes, you really do need to install security and other updates as quickly as you can. Whilst you have taken some good steps to securing your PC, you are still running applications that themselves may become vulnerable.

• Browser: security vulnerabilities are often found in browsers
• MS Office: If you have this installed there are a number of common attack vectors
• Adobe Acrobat: Again a common source of attacks.
• Pretty much any other application that might have an internet connection or open files that may have come from outside your PC.

It is basically impossible to fully secure any computer, let alone those connected to the Internet. So you need a combination of approaches to stay secure.

• Fully patched
• Good anti-virus
• Sensible lock-down including running as standard user by default
• Occasional scans with anti-malware tools, especially if you notice a sudden change in behaviour such as a sudden slow down.
• Running Microsoft EMET which helps mitigate some additional vulnerabilities
• Only allowing white-listed applications to run - this is possibly the most effective protection but is generally only available to enterprise configurations, it is difficult to do for home users.