Patching the Security Update Process
Security firm aims to make installing updates as painless and invisible as possible.
Recent research shows that the typical PC user needs to install a security update roughly every five days in order to safely use Microsoft Windows and all of the third-party programs that typically run on top of it. In response, a Danish computer security firm says it will soon debut a free new service that silently automates the installation of security updates for dozens of the most commonly used software products.
The five-day figure comes from information collected by Secunia, which pored over statistics from some two million users of its free Personal Software Inspector (PSI) tool, a program designed to alert users about outdated and insecure software running on their machines. Secunia found that the typical Microsoft Windows user has more than 66 programs from more than 22 different software vendors on his or her computer.
Even though the current version of the PSI software includes links to the latest updates for each outdated application, many users still find the update process too cumbersome, says Thomas Kristensen, Secunia’s chief security officer.
“Most users don’t want to be bothered with all these updates,” Kristensen says. “Even when we provide them with the proper download links for the updates, a lot of users to say, ‘No, I don’t want to click on all these things.’ We’d like to bring down the number of users who quit the patching process at that point.”
There is ample evidence to suggest that the average user can’t be bothered to install security updates in a timely fashion–unless the process is more or less automated. In a study released last summer, researchers from Google Switzerland and the Swiss Federal Institute of Technology found that browsers which included silent, automatic updates–such as Mozilla’s Firefox and Google’s Chrome–worked far better and faster in successfully delivering patches than did the manual installation mechanism used by the browsers from rivals like Microsoft, Opera, and Apple.
When hackers increasingly are attacking software security holes before vendors can ship patches to plug them, timely patching is more vital than ever, says Wolfgang Kandek, chief technology officer at Qualys, a computer security firm based in Redwood Shores, CA, that helps companies manage patch deployment. Kandek says Microsoft made great inroads with Windows XP Service Pack 2, which prompted users to turn on automatic updates for the operating system. But he adds that too few major third-party software makers include similar auto-update mechanisms.
“Take older versions of Adobe’s software, which don’t have an update component,” Kandek says. “Users on these will just stay at whatever version they’re using, and never update.” Alan Paller, director of research for the Bethesda, MD-based SANS Institute, a computer security training group, says Microsoft considered pitching its Windows Update service to third-party software vendors as an update conduit many years ago, but ultimately abandoned the idea because of legal liability concerns.
Secunia’s Kristensen says his company’s tool will avoid any liability issues by downloading patches in exactly the same way for each application as a regular user would. Still, he says, not all software vendors are likely to make it easy.
“The liability issues arise if we were to start modifying the patches or putting them in our own repository of updates,” Kristensen says. “One thing we can guarantee is that it won’t work for 100 percent of software. We’d love it to do that, but that would require 100 percent cooperation from a lot of vendors who don’t have a good history of this.”
According to Paller, Secunia’s chief challenge is appealing to users who don’t know enough about security to know they need to deploy third-party updates. “That’s why I think that a service like this–if it is going to have a decent impact–needs to be offered through the [Internet service providers],” he says. “My goal would be to say if you’re going to be an ISP, you need to provide a service like this.”
Secunia’s patch tool likely will need some serious testing before it can be deployed on such a broad scale. Secunia has already adapted the corporate version of PSI to deploy third-party updates, but doing the same for consumer computers would be a far greater challenge, particularly in making the software work on all of the various foreign language implementations of these third-party products.
“The goal is to make this scalable and legal, and to do that we will need to–at least at first–prioritize the products we patch based on those that are most widely installed, because there is no way we will be able to do 13,000 applications at once,” Kristensen says.
Secunia is aiming to have a preview version available in April for expert PC users, and a beta version for more public consumption a few months after that.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today