But stop griping. The inconvenience is better than the alternative, as the WannaCry attack showed.
SAN FRANCISCO – Grit your teeth and let your computer update itself. That’s the advice of security experts, who say consumers should welcome those updates because they serve a crucial purpose highlighted by the victims of the WannaCry ransomware attack.
In the case of the massive cybersecurity offensive that hit computers in over 150 countries last week, users who had installed a Microsoft-issued patch were immune. Those that hadn’t could be hijacked.
In a world where computers and the software that runs them are under near-constant assault, updates allow companies like Microsoft, Apple and Google to keep customers safe — to the annoyance of many users.
“Think of this whole thing between the hackers and us, the average people, as an arms race. The hackers find a vulnerability, the companies find something to counter it, ” said John Otero, a professor at St. John’s University’s computer security program.
But too many consumers turn off updates or refuse to install them when they pop up, either because they like their programs as they are, or because they fear the updates themselves may be malicious, or simply because it’s too much work or downtime.
A study by the Pew Research Center in January found that 14% of consumers never updated their smartphone’s operating system and 42% waited “until it was convenient.”
Younger users seem to be more onboard with updates. Pew found that 48% of younger users, 18- to 29-year-olds, had their smartphones set to automatically install updates when they were available. But 13% still said they never updated their systems.
Microsoft significantly changed its update model with its Windows 10 operating system by allowing for automatically installed updates, with some flexibility about timing on the part of the user. Major upgrades can only be deferred for 180 days, with a 60-day grace period. And in a change from the past, its weekly security patches are now bundled together, whereas it used to be possible to choose which to install.
Many of the computers affected by WannaCry were running the Windows XP operating system, which couldn’t initially be patched because Microsoft stopped supporting the program in 2014 except for a high fee. In the case of WannaCry, Microsoft took the unusual step of issuing a free patch for Windows XP machines due to the severity of the threat.
Related:
As attacks increase, companies are increasingly pushing out updates.
“Apple used to only update their software once a year and now they do it monthly, mostly for security patches. Microsoft used to be able to go a year for a big update, ” said Daniel Ladik, a professor who specializes in digital marketing at Seton Hall University in South Orange, NJ.
Those ever-more-frequent updates also often include a mix of both security and general software changes — to the frustration of users. They complain some updates force them to reset preferences or that the updates cause crashes. The frequency and glitches have given updates a bad name, leading some consumers to ignore these persistent reminders.
Sometimes settings change, “so suddenly you’ re getting push notifications even though you had them turned off so you’ve got to go back in and reset everything, “ said Ladik.
‚No one wants to be interrupted‘
That’s the challenge for the technology industry: To keep consumer data safe, software makers need to convince users to constantly maintain their programs. But the more they interrupt consumers, who are increasingly tethered to their smart devices, the less these consumers want to play along.
A Google survey of security experts and regular web users in 2015 found a wide gap between the two when it comes to updates. A full 35% of experts —but only 2% of non-experts — said installing software updates was one of their top security practices.
Google thinks it’s less a reluctance to install updates and more just not wanting to be hassled.
“No one wants to be interrupted in the middle of doing a task they’ re concentrating on to pause and deal with something totally unrelated, ” said Parisa Tabriz, a Google Chrome security expert. That’s why the Google operating system is automatically updated, she said.
Grady Summers, chief technology officer with security company FireEye, thinks the fear of installing something that will crash a system or brick a device is overinflated, especially compared to the danger of getting hacked.
“The risk is minuscule compared to the risk you run by not patching. Companies like Microsoft and Google extensively test updates for compatibility. Unless you’ re running very specialized software, you shouldn’ t be concerned, ” he said.
This leads to a mismatch between security concerns and consumer concerns.
Ladik tends to be of the ‘if you’ re unsure, don’ t do it,’ school of thought, figuring that for most devices he can skip somewhere between three and five updates before they stop working.
That outlook drives security professionals to distraction.
“The inconvenience experienced from potential changes due to patching is a fraction of the hassle involved in recovering from a compromise. Take the medicine, it’s far better than the disease, ” said John Bock, a vice president of application security at Optiv, a computer security company.
Users don’t always see it that way. „Sometimes the medicine is worse than the disease itself, ” said Otero, a former commanding officer in the New York Police Department’s computer security unit.
To his mind, updates make sense for businesses, because they have a tech staff and can test systems when they install updates. Consumers don’ t have that luxury. So he often waits a few days when an update comes out, keeping an eye on what others are writing online about the new code.
“Sometimes you’ ll go on and see a couple of hundreds of people saying the same thing — ‘Don’ t do it! It will break!’” said Otero.
Security experts say the reality is that most people don’t remember to update. And waiting is becoming increasingly less safe.
“As attackers become more sophisticated and more automated, the time it takes them to exploit unpatched systems shrinks significantly.