Updating our Thinking on Software Updates
eSecurityPlanet columnist Ken van Wyk looks at the issue of software updates -- particularly the lack there of for mobile devices.
That's right. They're ugly, klunky, kludgy, annoying, and they are all too easy to be used as an excuse for releasing software before it's fully baked.
I've been the victim of software that was released before it was ready for prime time on way more than one occasion. With automatic software updates increasingly becoming acceptable, if not expected practice for operating systems and application software alike, the temptation for unscrupulous product managers to release 0.9 versions of code must be staggering. They can always release updates to bring the releases up to 1.0 status in a couple months or so, right? It happens. I'm convinced of it.
To make matters even worse, updates are a veritable 'kick me' sign for phishing scams and the like. With Microsoft releasing its monthly batch of patches on the same day every month, we've already seen several phishing scams that exploited that timing by pre-emptively sending out spoofed ''Microsoft'' security bulletins that, in fact, duped the unsuspecting user into going to a site other than Microsoft's official patch page. (Admittedly, these phishing scams don't affect the automatic updaters, plus Microsoft does PGP-sign its bulletins. Nonetheless, the spoofed bulletins were likely to have been effective at netting more than their share of unsuspecting users.)
Heaven forbid the vendor's patch site gets broken into by someone wishing to do real harm. We've seen that happen on static sites, even static patch repository sites. To my knowledge, though, we haven't seen it yet on automatic update sites. So, lest I get accused of being a FUD monger, which I truly am not, I'll just leave that last little scenario in my nightmare closet and not speak of it again.
Yes, automatic software updates are ugly. And they're also the status quo. We've come to use them pretty extensively, even rely on them, in many cases, to keep our software configurations on par with the latest security patches from our vendors. At least in the realm of desktop operating systems and applications, automatic updates have become the chosen mechanism for distributing security patches, feature updates, and so on.
I haven't met many IT people who are brave enough to run automatic updates on their production servers, but that day will no doubt come, as well. And to anyone who does do automatic updates on production servers, I have this advice: Keep your resume on your home PC.
Now, in the interest of full disclosure, I will admit that I too run automatic updates on a slew of software on my traveling (XP) laptop, as well as my SOHO (Debian Linux) network. I can't say I'm not happy about it, though.
But let's talk about software updating on mobile devices -- everything from (so-called) smart phones, PDAs, and Blackberry (or the functionally equivalent) devices. Heck, let's toss in MP3 players and such, along with those, I suppose.
The status quo in the mobile world is that they haven't caught up, if you can really call it that, with the traditional PC world. In many cases, if a security patch or feature update exists for a mobile device, you have to take the device to the vendor/provider and have them burn new firmware using proprietary devices to make the physical connection. That is assuming that you even know that the update is available. That's not acceptable to me as a user of these devices, and it shouldn't be to you either.
I should note that I fully realize I'm generalizing here. Some mobile devices can be updated by the end user using nothing more than a Web browser and some PC synchronization software. But even in those cases, the update process isn't as smooth as it is in the (imperfect) desktop PC world that I described above. At the very least, there are few, if any, acceptable channels for the product vendors to notify their customers when patches are even available.
Just a couple of weeks ago, there was an announcement of a new email forum called ''MobileBugtraq''. Like its non-mobile counterpart, MobileBugtraq is an open forum set up for the sole purpose of discussing security vulnerabilities -- in their full technical detail. The only difference is that it specializes in vulnerabilities that affect mobile devices. So you can bet that vendors and providers of mobile devices and services are going to need to find better ways of getting software security updates out to their customers.
It would sure be nice if the mobile world would take a look back at some of the problems and mistakes made in the desktop world with regards to software update mechanisms, and then get ahead of the problem by setting up mechanisms that are worthy of our trust. These should include notification mechanisms that use -- from day one -- digital signatures so we can always authenticate the source of the notification messages.
FUD mongering aside, if the mobile world doesn't catch on quickly, many of us are pretty darned likely to have some rather expensive paperweights before long. But heck, I'm sure they'll make for fascinating conversations when colleagues walk into our offices.