Mallory tries to hack an OS in order to spy on Alice. 

TL;DR: skip to the conclusions to see what Alice learned. 

Update your browser regularly

Every once in a while you’re asked to update the software on your computer, or just told that there’s a new version of, for example, your browser ready for download. Many people don’t immediately follow this advice. This is understandable, we all have our lives to live beyond updating our software. It’s a hassle. However, from a security perspective, updating regularly is the most important thing you can do to protect yourself. And to be honest, once you get in the habit, it’s not that big a deal: all you need to do is close your browser and reopen it again.

Why is this so important? There’s a big community of security experts who work hard to discover new vulnerabilities. When they find something, they inform respective software developers who in turn work to fix those issues promptly and release new versions. As a result, the most recent version of any software product is the most secure one. Old versions have known weaknesses, and Mallory-minded people know this well. Most of the hacks that occur these days use already known, but not yet patched bugs. What makes this possible is people not updating their software in a timely manner. 

So, are you convinced? How about you close your browser now and reopen it? We’ll be waiting right here.

Update your OS regularly

The main security goal of a browser is to let you safely browse untrusted websites and run untrusted web apps. Ideally, you should be able to run even the most malicious JavaScripts in your browser, as well as open poisoned PDFs, JPEGs and many other file formats with no harm done to you. All of those untrusted files are processed in security sandboxes, designed to contain threats. A sandbox is the browser’s fortified boundary between the untrusted internet and your trusted computer. 

In other words, the browser does not trust the internet. However, the browser trusts the operating system on which it runs. Android, Windows, iOS, macOS and Linux are all operating systems, or OSs. The browser blindly trusts the OS because, quite frankly, it doesn’t have a choice. It is virtually impossible to create a browser that would be able to protect itself from a hacked OS. Therefore, protecting your OS is equally important to protecting your browser. 

This is why you have to update your OS regularly. 

Every modern OS will let you know when a new version becomes available. Microsoft Windows updates every 2nd Tuesday of the month (and sometimes the 4th Tuesday as well), at 17:00 or 18:00 UTC. This is called Patch Tuesday. Put that in your calendar so that you can update Windows ASAP. Updates always come with a list of changes made. You can read it yourself if you’re interested, or wait for the monthly set of articles that inevitably follows. 

Update everything else by priority 

All the software you use is safest when it’s up to date. But not all software is equally important for the privacy and security of your data. The browser and the OS are usually the most important. You use your browser to access the untrustworthy depths of the internet, which means it’s the first line of defence. The OS is your last line of defence, which controls access to your camera, microphone, and files. 

Additionally, other network-facing applications that you use a lot can have a similar impact on your privacy. These could be social media, fitness, or navigation apps, among others. However, a notepad is far less likely to be hacked remotely, as it has what we call a smaller attack surface. The attack surface is the sum of places which the attacker can hit. 

The bottom line is that, if you don’t have enough space on your Android or iOS device to update all the apps, at least update your OS and browser. Next, update whatever else you frequently use that is connected to the internet. Lastly, everything else. 

Conclusions

• All browsers blindly trust the OS (Android, Windows, iOS, macOS, Linux). If the OS is hacked, all bets are off. It would not be your computer anymore, and your data would not be safe. The security model of all modern OSs makes browsers and other software products unable to defend themselves against a hacked OS. 
• The main security goal of a browser is to let you safely browse untrusted websites. You should be able to run malicious JavaScripts in your browser, as well as open poisoned PDFs, JPEGs and many other file formats. All of those untrusted files are processed in security sandboxes, designed to contain the threats. In other words, the browser implements a fortified boundary between the untrusted internet and your trusted computer. 
• The responsibility for keeping your computer safe is shared between all your network-facing software products and yourself. The products should not be remotely hackable. If there’s a defect that allows unauthorized remote access, it should be quickly fixed. Your responsibility is to install those fixes right away. Therefore, if your OS or browser asks you to install an update, do it as soon as possible. 
• Most actual hacks are done using already known but not yet patched vulnerabilities. This is possible because people don’t patch their software in a timely manner. 
• If you don’t have enough space on your Android device to update all your games and other products, at least update the browser. The browser and the OS (Android in this case) are the most critical from the security perspective. 
• MS Windows gets updates on every 2nd Tuesday of the month (and sometimes on the 4th Tuesday), at 17:00 or 18:00 UTC. This is called Patch Tuesday. Put that in your calendar so that you can update Windows ASAP.

browser privacy

---