Updating our Thinking on Software Updates

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Automatic software updates are the worst possible form of security patchmanagement... except for all the rest.

That's right. They're ugly, klunky, kludgy, annoying, and they are alltoo easy to be used as an excuse for releasing software before it's fullybaked.

I've been the victim of software that was released before it was readyfor prime time on way more than one occasion. With automatic softwareupdates increasingly becoming acceptable, if not expected practice foroperating systems and application software alike, the temptation forunscrupulous product managers to release 0.9 versions of code must bestaggering. They can always release updates to bring the releases up to1.0 status in a couple months or so, right? It happens. I'm convinced ofit.

To make matters even worse, updates are a veritable 'kick me' sign forphishing scams and the like. With Microsoft releasing its monthly batchof patches on the same day every month, we've already seen severalphishing scams that exploited that timing by pre-emptively sending outspoofed ''Microsoft'' security bulletins that, in fact, duped theunsuspecting user into going to a site other than Microsoft's officialpatch page. (Admittedly, these phishing scams don't affect the automaticupdaters, plus Microsoft does PGP-sign its bulletins. Nonetheless, thespoofed bulletins were likely to have been effective at netting more thantheir share of unsuspecting users.)

You're also placing a tremendous amount of implicit trust in the vendor'supdate system -- and, by the way, further eroding any illusions that youmay still be clinging to about having a security perimeter.

Heaven forbid the vendor's patch site gets broken into by someone wishingto do real harm. We've seen that happen on static sites, even staticpatch repository sites. To my knowledge, though, we haven't seen it yeton automatic update sites. So, lest I get accused of being a FUD monger,which I truly am not, I'll just leave that last little scenario in mynightmare closet and not speak of it again.

Yes, automatic software updates are ugly. And they're also the statusquo. We've come to use them pretty extensively, even rely on them, inmany cases, to keep our software configurations on par with the latestsecurity patches from our vendors. At least in the realm of desktopoperating systems and applications, automatic updates have become thechosen mechanism for distributing security patches, feature updates, andso on.

I haven't met many IT people who are brave enough to run automaticupdates on their production servers, but that day will no doubt come, aswell. And to anyone who does do automatic updates on production servers,I have this advice: Keep your resume on your home PC.

Now, in the interest of full disclosure, I will admit that I too runautomatic updates on a slew of software on my traveling (XP) laptop, aswell as my SOHO (Debian Linux) network. I can't say I'm not happy aboutit, though.

But let's talk about software updating on mobile devices -- everythingfrom (so-called) smart phones, PDAs, and Blackberry (or the functionallyequivalent) devices. Heck, let's toss in MP3 players and such, along withthose, I suppose.

The status quo in the mobile world is that they haven't caught up, if youcan really call it that, with the traditional PC world. In many cases, ifa security patch or feature update exists for a mobile device, you haveto take the device to the vendor/provider and have them burn new firmwareusing proprietary devices to make the physical connection. That isassuming that you even know that the update is available. That's notacceptable to me as a user of these devices, and it shouldn't be to youeither.

I should note that I fully realize I'm generalizing here. Some mobiledevices can be updated by the end user using nothing more than a Webbrowser and some PC synchronization software. But even in those cases,the update process isn't as smooth as it is in the (imperfect) desktop PCworld that I described above. At the very least, there are few, if any,acceptable channels for the product vendors to notify their customerswhen patches are even available.

Just a couple of weeks ago, there was an announcement of a new emailforum called ''MobileBugtraq''. Like its non-mobile counterpart,MobileBugtraq is an open forum set up for the sole purpose of discussingsecurity vulnerabilities -- in their full technical detail. The onlydifference is that it specializes in vulnerabilities that affect mobiledevices. So you can bet that vendors and providers of mobile devices andservices are going to need to find better ways of getting softwaresecurity updates out to their customers.

It would sure be nice if the mobile world would take a look back at someof the problems and mistakes made in the desktop world with regards tosoftware update mechanisms, and then get ahead of the problem by settingup mechanisms that are worthy of our trust. These should includenotification mechanisms that use -- from day one -- digital signatures sowe can always authenticate the source of the notification messages.

FUD mongering aside, if the mobile world doesn't catch on quickly, manyof us are pretty darned likely to have some rather expensive paperweightsbefore long. But heck, I'm sure they'll make for fascinatingconversations when colleagues walk into our offices.

Submit a Comment

Loading Comments...