Handler on Duty: Adrien de Beaupre
contact us
contact us
Your session is about to expire. Please reload or submit to avoid getting logged out.
As Alan Paller wrote in last week's SANS @Risk Newsletter, home PCs contain a lot of software with a lot of vulnerabilities. The recent Shockwave hole is only one example. Yes, there are tools, like Secunia's PSI, that can help in determining which software on a PC needs urgent patching. In my experience though, the average home user is not tech savvy enough to use such tools.
Some software packages try to fix the problem by building an "auto update" feature into their product. Looking more closely into how these update mechanisms work shows that many do not verify or authenticate the updates received. If recent malware like Conficker protects its updates better than application software protects its auto-downloads, something's amiss.
Even assuming that a software package does everything right, there's still the hurdle of the OS to overcome. How do you explain to your mom or uncle or grampa the difference between a "bad" UAC prompt in Windows Vista (eg. when malware wants to sneak in) and a "good" UAC prompt (eg. when Firefox wants to apply its important security update) ?
Basically, a message box telling a user that a program needs updating doesn't work anymore. We've seen just too many pop-ups, too many annyoing requests to install Chrome or Silverlight or - worse - SuperMegaAntivirus2009, and this has left the users largely immune to anything that requests installation. The more glaringly something asks for attention, the higher the chance it will be ignored.
Microsoft has come a long way with Windows Update. Of course we still worry about the PCs of our family members whenever there's a new vulnerability, but once the patch is out, we know we can stop worrying: Windows Update works well enough that on all PCs of friends and family that I was recently pressed into duty to "check out", the Windows patches were actually current.
Now .. how do we get to the same level with all the application programs ?
I think this problem dates back to old proprietary software practices. The business model was, and unfortunately still can be, about selling someone a program and never having to contact the customer again, unless it's to sell them an upgrade to the 2010 edition. People had to just live with and get used to the bugs, and security updates didn't really exist. But the Internet has changed all that in two ways. One is that some types of software will have remote vulnerabilities that absolutely must be fixed promptly. But the other is that it's actually possible now to push updates to the customers, even daily. Software really ought to be an ongoing subscription service now including security updates, but it must be a good thing to also be able to put out fixes for other bugs the same day they're reported. Vendors already using this model include Anti-Virus software authors, and their auto-update practices are probably the best around.
Free and open-source software is different though. On the whole, the developers and most users seem of this software tend to be more in favour of frequent updates to gain new features and fixes. But there is usually no financial incentive to having a platform for distributing those updates automatically, and it's something that may be skipped over to cut costs. Larger projects like Debian have been able to do this very well, but smaller apps may need help from someone like SourceForge and maybe open-source package managers.