Is there any risk of using outdated Filezilla?

Portal Home > Knowledgebase > Articles Database > Is there any risk of using outdated Filezilla?

Posted by strawberrybob, 12-29-2014, 06:37 AM
I am using Filezilla for uploading and downloading my website contents. I didn't update my Filezilla software for like three months. Each time I start Filezilla it automatically scans for updated version and pops up to update. So just wondering is there any security risk of using outdated Filezilla?
Posted by Dr_Michael, 12-29-2014, 06:49 AM
I would recommend to change the FTP password to a random one, each time AFTER you connect with Filezilla.
Posted by Srv24x7, 12-30-2014, 08:38 AM
Hi, Older version in terms turn out to the buggy at times. New ones are released with patches to the vulnerabilities that were found in older versions.
Posted by EthernetServers, 12-30-2014, 08:43 AM
I'm curious as to why you're not updating, to be honest. Can you explain?
Posted by nycvictor, 12-30-2014, 08:48 AM
I don't think that having an outdated FTP client is that much more of a vulnerability beyond the inherent vulnerability of FTP, which is an unencrypted protocol. I'd switch to WinSCP for SCP or SFTP, which are both encrypted protocols. But as the previous poster said, I am also curious why not update. All these programs update with just one or a few clicks.
Posted by SPaReK, 12-30-2014, 12:29 PM
You're probably not going to lose a whole lot by not upgrading, but you're also not going to gain anything. Something installed on your local computer is a bit more difficult to exploit remotely. Compare this to a script or something installed on your website or something that is remotely accessible via the Internet and the differences are huge. But that doesn't mean that something local can't be locally exploited. If you are not entering your password for something that requires a password (like an FTP login, or an email account) then that password is being stored some where. How well is that information stored securely? That is where an application update can be useful. If you get a trojan, virus, or worm on your computer then it may be able to more easily break any storage encryption system of these password (for what it's worth, SFTP doesn't help in this regard, if the password is stored somewhere it is subject to storage encryption and how good that is). Bottom-line, updating end-user applications probably isn't as important as scripts or "always facing the Internet" applications like WordPress or Joomla! But if you're not updating your applications, there's a good bet that you aren't updating your core OS which may contain more important bug and security fixes. You might look at in terms of numbers, if you don't update your FTP application you might say you have a 1% chance of something bad happening. That may seem small. But why risk even the 1%? What is so important that not updating is better than updating? If everybody would keep everything (website scripts, OS updates, applications) up to date, that would help security immensely. Couple that with using well-written and quality scripts/OS/applications would also improve security. It's kind of like end-user anti-virus/anti-malware software. If you are careful with what you do, if you keep everything up to date, and just think from a security perspective, then an anti-virus/anti-malware software is probably not necessary. I wouldn't recommend not having one, but you can see why it might be unnecessary if proper attention is being paid. I should also mention that not every update is going to be a security update. So from a pure security standpoint, having the latest version may not make you any more secure. But as a general rule of thumb, whenever a new version of something is released, it is usually fixing a security flaw. Might be a minor security flaw, but is still a security flaw. Unless you read through the release notes for each version, you really don't know if it's a security update or just a feature update. But if you are always running the latest version, then you know you are always patched against the known security flaws in an application.