3

For obvious reasons we teach users

Always update... updates are good... never forget updates, et cetera!

Apart from the danger of malicious advertisements that make use of that showing users that they need to "update", I want this question to focus on the automatic update features in software specifically.

A lot of applications have introduced automatic update features, where users basically don't have to do anything anymore, in order to get their software completely renewed or patched or fully stuffed with (undesirable) new features. As a security professional my first feeling about that would be "Great, this makes the world a bit safer" especially because you take away the human interaction which often causes failure due to laziness, forgetting to update, forgetting to even check for updates or whatever "human" reason that causes lack of updating and start to patch known vulnerabilities automatically.

People get tons of different mobile app updates, operating system updates and desktop application updates. Doesn't all this updating increase the security risk by possibly introducing vulnerabilities in high tempo on a massive scale?

So, on the one side you have the extreme of no auto-updaters at all, on the other hand you have a scenario wherein mostly everything gets automatically updated. I consider the downside of auto-updaters that they can rapidly introduce new vulnerabilities.

I'd be interesting to see some kind of statistical analysis that shows a possibility of both scenarios.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • 2
    Can you clarify where you perceive a potential downside? Is it that people might forget to manually update holdouts in a world where increasing numbers of apps auto-update? That auto-updates are abused to install new, buggy functionality rather than simply address security fixes? What, explicitly, are the "both scenarios" you want to compare? – gowenfawr Aug 04 '16 at 14:11
  • @gowenfawr good point, thanks for the feedback. I changed the question slightly. – Bob Ortiz Aug 04 '16 at 14:15
  • In UX terms, auto-update is strictly better. My grandma doesn't need to worry about a prompt telling her that her fooapp needs update 4.5.01293. It will only elicit confusion, which is a reason people don't update you didn't list (and IME a very common one, many update prompts have *terrible* design). So if updating is, in general, good, then auto-update is good even if it allows for the mass propagation of vulnerabilities (it also by definition allows for quick propagation of the fixes). – Jared Smith Aug 04 '16 at 14:20
  • 2
    Looking at how rampant Windows worms were before Windows was auto-updating by default I would say it *extremely* improved security. But that's just anecdotal. – Philipp Aug 04 '16 at 14:23
  • 3
    There's an easy quantitative answer to this. How many vulnerabilities have been patched through auto update systems? (Answer, huge numbers.) On the other hand, how many vulnerabilities have been introduced by auto update systems? (Answer, very few.) Couple this with one other metric: What is the delta in the average length of time to patch between a manual patch system vs it's automatic equivalent? (Answer, switching to an automatic system decreases average time to patch considerably.) So, an automatic system is clearly better for security. – Xander Aug 04 '16 at 14:45

3 Answers3

9

Auto-updates greatly improved security by fixing any non zero-day vulnerabilities.

Most vulnerabilities only become known to the general public after a patch for it is released. Years ago, when auto-updates were not the norm, black-hat hackers used to reverse-engineer any security updates, found out what vulnerabilities they fixed, wrote exploits for it and distributed them to target users which didn't bother to install the update. That gave us epidemics like Win32.Sasser which propagated through a vulnerability which was already patched when the worm appeared, but many people didn't have the patch installed.

But nowadays, the release of a security update means that in a few hours nobody will be vulnerable anymore. That's simply not enough time to create an exploit and distribute it.

The high patch frequency also means that people who look for zero-day vulnerabilities (which means: finding vulnerabilities on your own before the developers do) are aiming for a moving target. A vulnerability might get fixed even while they are still working at their exploit (sometimes even unintentionally).

Philipp
  • 48,867
  • 8
  • 127
  • 157
2

I think this is a highly subjective topic of discussion. The important thing to note here is that features like auto-update were designed keeping in mind the convenience of the user/system administrator (Imagine accessing every single system in your workplace for installing updates) and every time you add a bit of convenience to a system the attack surface automatically magnifies.

The updates (Manual/Automatic) may patch older vulnerabilities but at the same time there is a risk of having new ones introduced in the system. The best example that I can think of in recent times is Heartbleed. All the OpenSSL version before 1.0.1 were not affected by the vulnerability as the heartbeat feature was introduced in the version 1.0.1. The hype around Heartbleed put us consultants in a tricky situation as we had been telling our clients to keep their systems updated.

The fact remains that in today's heterogeneous systems where some part of the code running on your PC/server/phone is changing on a daily basis, it all comes down to the level of trust you have on the app developers and the compensating controls that you might have put in place (as part of your enterprise risk mitigation policy).

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
1

This is one of those questions that encourages debate more than it allows for a concise answer. As you recognize in your question, arguments exist for both sides, but it is overwhelmingly apparent that IT professionals prefer automatic updates. Does it mean your computer may constantly have some vulnerability? Absolutely. You put your trust in the developers of an application that they thoroughly audit every change they make to a program or operating system.

Are auto-updates ludicrous at some level? Absolutely. The tuner app on my phone doesn't need constant updates. But for web browsers, operating systems, and server software like Apache?

I'm of the popular opinion that I would rather have an untold number of unknown vulnerabilities sitting on my system for a relatively infinitesimal amount of time than a vulnerability than any script-kiddy can exploit from a metasploit console. And if that means a constant battle between developers and hackers, I still prefer the offensive approach over the defensive approach.

In computer security, dynamic attacks can and will always succeed against static defenses. In addition to everything like usability and user simplification, automatic updates provide some level of dynamism.

Verbal Kint
  • 737
  • 1
  • 6
  • 20