How can I be sure software updates are legit?

Every day e-mail "sender" information is spoofed by unscrupulous characters in order to make their e-mail message look legitimate; and the links contained in them look as though they are coming from a reputable company when, in fact, it could take you to an attack site or launch a virus, Trojan, or Worm is installed and launched on the victim's computer. Just because it looks legit doesn't mean that it is.

These days there is absolutely no reason to click on a link contained in an e-mail message in order to update your software. Instead, launch the program in question, find the "Update" command found in the Tools>Preferences or the About menu in your software's tool bar and let the software update itself. If there is an update available, the software program will download and install it for you. If you don't want to be bothered with going through the manual process, simply enable "Automatic Updates" for that software program before you click the "Update" or "Update now" option.

Alternately, go to the Web site for the software in question by manually typing in the software developer's Web address (do not copy and paste, and do not copy the address given in the e-mail. Instead, Google it if you don't know it) into your browser's address bar and go directly to the developer's Web site. Then look for updates for the software program in question.. If software updates are available, either download the update(s) and install them manually or update the program directly from the developer's site.

Blindly clicking a link in an e-mail, even one that looks legitimate, is a disaster waiting to happen and a risk that is unnecessary.

Any e-mail that claims to have a link to an update for any software program should immediately be regarded as suspicious and approached with caution. You're better off NEVER clicking an "update" link in any e-mail.

I have the new win 8 on my computer. Even prior to that I had win 7, vista and xp. All the operating systems I used always have updates. I do not automatically install but just download them. Because Microsoft has all bulletin numbers, it is hard to distinguish them and especially when you have 30 downloads, it is a pain to check everything out. I just rely on them and not worry too much. However, adobe like you mentioned frequently has updates and a window tells me so. I am protected with the virus checker and firewall called defender which came with win 8. I am pretty certain it would tell me if there were viruses and malware that can be damaging. I would opt for Symantics but it costs too much. Previously I used the free one such as avg and avast which incidentally you would pay for to get the best protection. Costing just a fraction of Symantics, it is worth it. Never had any problems with them and always updates frequently. I was wondering what you think of the defender vs avast or avg. I never used defender before. I don't particularly like the design of it but oh well!

zzmel

First of all it is good practise to just use 1 antivirus program. If you use multiple programs they will conflict with each other and end up giving you less protection. On to the main body of the question...

I don't know what version of Windows you are using. If you are using Vista or 7 then when User Account Control pops up it will tell you the name of the file that wants to run, where it comes from and it's publisher. If it comes from a signed publisher such as 'Oracle America Inc' then it can most of the time be trusted, if it says unknown then trust it less. If it comes from 'Hard drive on this computer' and not 'Downloaded from the Internet' then that's another reason to trust it. If you are still suspicious then best thing is to google the name of the file that wants to run, for example 'jucheck.exe' is a legitimate file used by Oracle to update Java.

I don't know what the procedure is with XP, but as there is no User Account Control then best thing is probably to download manually from the develeper's website.

Hi, you are quite right to be suspicious about emails saying that there is an update for program X etc. I nearly fell once for one which looked like it came from Microsoft but luckily I noticed a few mistakes in spelling and the from address seemed strange!!

Anyway, I use a wonderful little program called "Secunia PSI" from secunia.com This program scans all your programs on the computer (it's still not perfect as some programs are missing but more are added regularly. You can also suggest programs!!) and then checks to see if there is a newer version. It will scan in the background as well. When you connect to the net it will check with its server database to see if there is an update even if you don't run a scan. If there is it will say that an update is available and this way you will know it's true.

Another program is from here CNET Techtracker, again it's not perfect as with me some programs have been misidentified as another one (yes I have reported them several times) or there is a mistake in the version number so it's flagged as out of date but it's not.

One last program is from Filehippo, just like Secunia and CNET's Techtracker this will scan your computer and tell you if any programs need updating. With this one you must be careful to turn off the "SHOW BETA UPDATES"

Why these three, well what one doesn't catch the others will. Well it's worked so far for me and I don't have the time to open each program and manually check ALL 90+ programs on the computer from their updaters.

I hope this has given you some help and ideas.
Regards

If the software in question has been done properly. Think about it, the antivirus regularly requires updates, so wouldn't sabotaging the antivirus update make a very effective way of compromising a system? Surely anyone with a malicious mind would know that. So how could we still trust antivirus then?

I don't know the exact details, but there are things called digital certificates. The basic premise is that with public key encryption, you can encrypt something with a private key which can only be decrypted with a public key. So if you want to distribute something that you want the recipients to know with confidence that it has come from you, give them the public key and encrypt your messages with your private key (which you will keep private). If a message cannot be decrypted with the public key, it hasn't been encrypted with your private key hence couldn't have come from you.

The above pretty much forms the basis of how Windows checks if a particular piece of code has come from a particular publisher. I would think antivirus programs would also use something similar. Obviously if there's no such credential check then anyone can easily spoof an update hence you really shouldn't be using them.

First of all, don't run multiple anti-virus and anti-spyware programs on your computer. Choose one and stick with it. Personally I'm partial to Norton Internet Security, because it puts only a very light load on the system and, despite occasional unsafe computing practices I engage in, nothing has ever gotten by it yet. You can occasionally scan with something like Spybot Search and Destroy to clean out the cruft that isn't really considered "malware" by the AV folks but that you probably do.

Secondly, you can never really be sure. Hackers are cleverer than you, cleverer than me, cleverer than any of us. With the exception of Microsoft and Windows Update, which you pretty much have GOT to trust, it's safer to pull updates from the vendors' sites than to have them pushed onto your computer via an automatic update feature.

Others have a good track record, including Adobe that frequently updates its Flash and Acrobat Reader, which itself presents a whole bunch of weird security problems but that you really can't do without. Sun/Oracle -- the OpenOffice and Java folks -- have problems with their apps but I have not heard any security shortcomings related to their updating of those apps. But Java isn't something most people need, and it is inherently insecure.

When the feature is available, I usually have my applications notify me when there is an update and then I go out and pull it from their websites rather than having it pushed to me from a source that I cannot fully know. If the "notify" feature isn't available, I turn automatic updating off and keep track of updates via various sources, one of which is cNet (another good one for freeware is Majorgeeks.com).

When I get one of the updates from Adobe or Java, I go directly to their site and do the download from there.That way I know I am getting it from the legit site

most program if you pay for them have automatic updating,most free programs offer this also nowadays.if your unsure of an email you get go to the site of the program or open your program and update it automatically through the program itself.there is a link that you can click on,this is what i do when i get an email stating that i need to update a program.its simple after what everyone has said.

1) How do I know that the updates are legit?

2) And how do I know if they are in my interest?

3) How do I know they aren't buggier than the current code?

4) How do I know that they aren't updating code without asking or even telling me?

5) How much of my personal information is captured and transmitted without asking me?

An example: For years my bandwidth was too low to support live viewing of video material. So I got quite adept at picking the video file out of the browser cache, so I could view them offline. But the suppliers of such material don't want you to be able to store it. (If you want to watch it again, that's fine, but you must please go back to the web site and generate a few more clicks.)

Then, newer versions of the browsers don't store the full video files anymore. They cache the streaming data in a different format in many slices that your media player can't understand. They didn't ask me if I wanted to upgrade to that. So, sometimes it is good to be able to fall back on an older version ... as you see, even the legit updates are not always in your interest.

...Is to add programs such as "Adobe Reader" to your CNET "Watch List". Then whenever a program is updated, CNET sends an email directly to your inbox.
If you download the program from CNET, it is automatically added to your "Watch List", as long as you have created a profile

Hi Ken
Most everyone so far seems more concerned with back up rather than the question.

First; If you have legit software set it to auto check for updates but check for you to install. This will make sure the update comes from the software not your email (email means phishing).

Second; Check the install stage by stage because most are piggy-backing the install of other programes (tracking mostly I.E.; search bars and trial antivirus and other such) along with the update. If you don't watch for and uncheck those you will end up choking your computer with them.

You a correct in that the bad guys often pose as legitimate things to fool you into clicking on them. From emails that look like they are coming from a friend to fake warnings from Banks and other financial institutions, it is getting that you cannot trust anything or anyone. Unfortunately, you cannot count on security software to catch these especially if you initiate the install by agreeing to it or by allowing it when the User Account Control pops up. Unfortunately, the bad guys always seem to be a step ahead of the security software.

To date, I have not run into a fake update for Flash, Acrobat, Java or Windows but I suppose it could happen any day now.

In the end, your best line of defense is to install all updates manually instead of simply clicking on OK when some popup shows up on your screen. Here is one approach:

When you receive a popup that says there is an update from Adobe Flash, Adobe Acrobat Reader, Java, Windows or any others software simply close the notice and check for updates manually. Here are the methods for the most common updates:

ADOBE FLASH PLAYER
1. Open your Start menu and click on Control Panel
2. Change from Category View to Small Icons or Classic View
3. Click on the Flash Player icon
4. Select the Advanced Tab
5. Click on Check Now
Note: You may also want to change the Updates settings at this time

ADOBE ACROBAT READER
1. Open Acrobat by clicking on the Icon on your desktop or by opening a PDF document
2. Click on the Help menu at the top
3. Select Check for Updates and follow the instructions

JAVA
1. Open your Start menu and click on Control Panel
2. Change from Category View to Small Icons or Classic View
3. Click on the Java icon
4. Select the Update Tab
5. Click on Update Now
Note: Again, you can change the update settings in this section too

WINDOWS UPDATES
1. Right Click on Computer or My Computer and select Properties then Select Windows Update from the menu or Click on the START Menu and type Windows Update in the search bar, then Select Windows update.
2. Select Check for Updates on the left hand menu

OTHER SOFTWARE
Most all programs have a "check for updates" section somewhere under the Help Menu or the file menu. Once you find, it simply follow the instructions to locate and install the latest updates for that specific software.

WARNING: Many updates such as those from Java and Adobe often come packaged with other junk that you may not want. Watch carefully for check boxes that are already check that agree to installing a new toolbar or some other piece of free or trial software.

Some might recommend not installing updates at all, but this is not a good idea either. Many updates are provided to patch security flaws, which if not performed, can leave you even more at risk.

Dana
Wayland Computer