Critical Microsoft, Adobe, and Oracle updates: Like dental floss for your PC

I was still wiping the sleep from my eyes this morning when the nagging voice kicked in: before trawling the Internet for news, you better install yesterday's security updates.

It wasn't a pleasant thought, given the raft of patches released yesterday by Microsoft, Adobe, and Oracle for a variety of products. But as someone who has covered computer security for eight years, I've come to make updating a top priority. And for good reason. A large percentage of the booby-trapped websites that surreptitiously install malware on visitors' machines exploit vulnerabilities that have already been patched.

The recent hack on Yahoo's ad network, for instance, targeted two security flaws in the Java software framework that Oracle had fixed 17 and 24 months ago, Trend Micro reported in a blog post. Those who visited compromised Yahoo servers with up-to-date systems were immune to those attacks. By contrast, people using unpatched software were exposed to malicious payloads that installed the Dorkbot and Gamarue trojans, as well as malware that turned visitors' machines into Bitcoin miners.

This morning's long slog began with a critical update for Adobe's Flash player. When I downloaded the patch with Firefox, it updated Flash for that player, but remarkably, Internet Explorer was still showing it was running a vulnerable version of Flash. When I downloaded the installer with IE and installed it, IE was finally updated too. I'm not sure if there's something unusual about my system that requires me to update Flash twice, but this is problematic. Allowing vulnerable versions of Flash to remain on a computer could leave it open to compromise by the right attacker. In 2014, you'd think there would be a way for a single patch to update Flash across the board.

Once I was done installing Flash—twice—it was on to the critical update for Adobe Reader. And then a critical update for Java. And then a half-dozen updates for Windows and Microsoft Office. While they were listed only as "important"—a less severe rating than "critical"—there are often ways for attackers to inflict plenty of damage by exploiting them. It was better to install them sooner rather than later.

It took a full 15 minutes for me to update just one of my Windows 7 machines. Granted, the dual Flash updates wouldn't have been necessary had I been running Windows 8, since Flash on that OS is automatically updated through the Windows Update mechanism. I'll try to remember that next month. Still, it's unfortunate that the single most important thing end users can do to make themselves safe online—religiously install updates as soon as they become available—is such a productivity killer.

Microsoft, Adobe, Oracle, and Apple have done a lot in the past decade to make security patches easier to obtain and install. But they need to do more, especially for those of us with multiple computers to update or even multiple virtual machine instances running on a single computer. In the meantime, end users should view security patching the same as dental flossing—a hassle, but something that's essential for good hygiene.

Story updated in the second-to-last paragraph to reflect automatic Flash updates are available only in Windows 8.