You are here

Hate automatic software updates? You’re not alone

By USA Today (TNS) - May 31,2017 - Last updated at May 31,2017

Photo courtesy of wordpress.com

By Elizabeth Weise 

SAN FRANCISCO — Grit your teeth and let your computer update itself. That’s the advice of security experts, who say consumers should welcome those updates because they serve a crucial purpose highlighted by the victims of the WannaCry ransomware attack.

In the case of the massive cyber security offensive that hit computers in over 150 countries last week, users who had installed a Microsoft-issued patch were immune. Those that hadn’t could be hijacked.

In a world where computers and the software that runs them are under near-constant assault, updates allow companies like Microsoft, Apple and Google to keep customers safe — to the annoyance of many users.

“Think of this whole thing between the hackers and us, the average people, as an arms race. The hackers find a vulnerability, the companies find something to counter it,” said John Otero, a professor at St John’s University’s computer security programme.

But too many consumers turn off updates or refuse to install them when they pop up, either because they like their programmes as they are, or because they fear the updates themselves may be malicious, or simply because it’s too much work or downtime.

A study by the Pew Research Centre in January found that 14 per cent of consumers never updated their smartphone’s operating system and 42 per cent waited “until it was convenient”.

Younger users seem to be more onboard with updates. Pew found that 48 per cent of younger users, 18- to 29-year-olds, had their smartphones set to automatically install updates when they were available. But 13 per cent still said they never updated their systems.

Microsoft significantly changed its update model with its Windows 10 operating system by allowing for automatically installed updates, with some flexibility about timing on the part of the user. Major upgrades can only be deferred for 180 days, with a 60-day grace period. And in a change from the past, its weekly security patches are now bundled together, whereas it used to be possible to choose which to install.

Many of the computers affected by WannaCry were running the Windows XP operating system, which could not initially be patched because Microsoft stopped supporting the programme in 2014 except for a high fee. In the case of WannaCry, Microsoft took the unusual step of issuing a free patch for Windows XP machines due to the severity of the threat.

As attacks increase, companies are increasingly pushing out updates.

“Apple used to only update their software once a year and now they do it monthly, mostly for security patches. Microsoft used to be able to go a year for a big update,” said Daniel Ladik, a professor who specialises in digital marketing at Seton Hall University in South Orange, New Jersey.

Those ever-more-frequent updates also often include a mix of both security and general software changes — to the frustration of users. They complain some updates force them to reset preferences or that the updates cause crashes. The frequency and glitches have given updates a bad name, leading some consumers to ignore these persistent reminders.

Sometimes settings change, “so suddenly you’re getting push notifications even though you had them turned off so you’ve got to go back in and reset everything,” said Ladik.

 

‘No one wants to be interrupted’

 

That’s the challenge for the technology industry: To keep consumer data safe, software makers need to convince users to constantly maintain their programmes. But the more they interrupt consumers, who are increasingly tethered to their smart devices, the less these consumers want to play along.

A Google survey of security experts and regular web users in 2015 found a wide gap between the two when it comes to updates. A full 35 per cent of experts —but only 2 per cent of non-experts — said installing software updates was one of their top security practices.

Google thinks it is less a reluctance to install updates and more just not wanting to be hassled.

“No one wants to be interrupted in the middle of doing a task they’re concentrating on to pause and deal with something totally unrelated,” said Parisa Tabriz, a Google Chrome security expert. That is why the Google operating system is automatically updated, she said.

Grady Summers, chief technology officer with security company FireEye, thinks the fear of installing something that will crash a system or brick a device is overinflated, especially compared to the danger of getting hacked.

“The risk is minuscule compared to the risk you run by not patching. Companies like Microsoft and Google extensively test updates for compatibility. Unless you’re running very specialised software, you shouldn’t be concerned,” he said.

This leads to a mismatch between security concerns and consumer concerns.

Ladik tends to be of the ‘‘if you’re unsure, don’t do it’’, school of thought, figuring that for most devices he can skip somewhere between three and five updates before they stop working.

That outlook drives security professionals to distraction.

“The inconvenience experienced from potential changes due to patching is a fraction of the hassle involved in recovering from a compromise. Take the medicine, it’s far better than the disease,” said John Bock, a vice president of application security at Optiv, a computer security company.

Users do not always see it that way. “Sometimes the medicine is worse than the disease itself,” said Otero, a former commanding officer in the New York Police Department’s computer security unit.

To his mind, updates make sense for businesses, because they have a tech staff and can test systems when they install updates. Consumers don’t have that luxury. So he often waits a few days when an update comes out, keeping an eye on what others are writing online about the new code.

“Sometimes you’ll go on and see a couple of hundreds of people saying the same thing — ‘Don’t do it! It will break!’” said Otero.

Security experts say the reality is that most people do not remember to update. And waiting is becoming increasingly less safe.

“As attackers become more sophisticated and more automated, the time it takes them to exploit unpatched systems shrinks significantly. This means the risk of not auto-updating systems goes up in comparison to using an update that has not been verified in the field,” said Ayal Yogev, vice president of product management at SafeBreach.

One solution would be for companies to separate security updates from programme updates. That would let users choose security immediately but give them control over when they want to automatically update other aspects of programmes or operating systems, said Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a San Francisco-based digital advocacy group.

 

“The branding of automatic updates has been severely tarnished in the public eye because of updates that break things or that drastically change the programme,” he said.

up
85 users have voted.


Newsletter

Get top stories and blog posts emailed to you each day.

PDF