Patches, Auto-updating, And Convenience
June has been a busy month for web-centric security patches. Microsoft fixed 31 different vulnerabilities (many affecting IE and Office), Adobe patches critical vulnerabilities in Adobe Acrobat and QuickTime, Google plugged some WebKit holes in Chrome, Apple released over 50 security fixes for Safari, and Firefox had 11 security vulnerabilities fixed, half of which were rated critical. With a lineup like this, a majority of the world is going to need to install patches to keep safe.
Despite the patches being available, history has shown that people don't always install them. Installing patches is an inconvenience; it interrupts the use of the system and potentially requires reboots. In enterprise environments, all of this can be semi-automated with patch management and deployment systems, centralized patch repositories like WSUS, and policies that dictate the employee just sit tight while mandatory patches are applied. But for home users, computer use is often casual--which means convenience has a very strong influence. If they get on the computer to check email or surf MySpace, they are likely to not want to postpone those computing desires in order to deal with installing patches first. That's assuming they even know about the availability of patches in the first place.
Recently some folks from Google and their partners released an analysis of web browser auto-update approaches. The analysis looked at the different effectiveness of how quickly patches gained widespread deployment due to the different patching processes they offer. For example, Chrome does "silent updates"--it will download patches/new versions and automatically install them without telling you. Firefox will automatically download updates, but then you have to still manually agree to the installation via a prompt given to you by Firefox. Safari tells you that an update is available, but then you have to manually agree to download and then install the update. Opera will inform you of a new version, but then you have to manually download the update yourself and proceed through the install wizard. Internet Explorer relies on Windows Automatic Update agent to download and install patches.
Overall, the Google analysis found that Chrome’s silent update approach resulted in the widest spread of update deployment (97% of systems patched/updated) within a fixed period (three weeks). Firefox wound up with 85% of systems patched/updated after three weeks, and Safari and Opera wound up with some pretty low numbers. The conclusion? Badgering the user to be involved in the update process causes them to interrupt, abort, or ignore the process, leaving the patches/updates unapplied. That is non-ideal when security is involved.
But just because there are auto-update mechanisms available (Chrome, Windows), doesn't solve the problem per se. I've encountered situations on numerous occasions where the user has disabled the automatic updating process because the software they were using was, well, "borrowed." Microsoft has been struggling with this issue for years now: whether to allowed pirated copies of Windows to be eligible for service pack updates and other patches. They have slipped various anti-piracy checks into their update process under the moniker Windows Genuine Advantage, which means only legitimate copies of Windows have access to the collection of updates. But even if the software vendor doesn't implement technical restrictions to prevent pirated versions from updates, the user's conscience might still prevent it. A person who "borrows" a commercial software application from their friend is less likely to run to the vendor asking for support and updates, because they do not want to get their friend in trouble for handing out pirated copies; so such people are more likely to disable anything that automatically alerts the vendor to the second copy, and/or will ignore any updates (where they might be asked how they got the software in the first place) and just stick with the original (now outdated and insecure) version.
Overall this whole timely security patching business is a tough problem to solve, because it's not simply just a matter of expecting users to download an installation file off a website and double-clicking it.
Until next time,