Yes, You Should Always Update Your Software

We have all received those annoying interruptions to our work — yes, the dreaded “update your software” message. Updates can be cumbersome — they can force you to stop what you’re doing, restart your computer, or change the interface you were working in upon the restart. But as unfun as they might be, they are an essential part of strong digital hygiene and one of the most important steps you can take to protect and secure your personal devices.

Test your digital hygiene by taking this short quiz.

The truth is, if you don’t take control of your devices, an attacker might do it for you. Peer-reviewed research presented at the 2015 Symposium on Usable Privacy and Security in Ottawa showed that the three main ways that security experts protect themselves are frequently updating their software, using two-factor authentication, and using a password manager. I plan to address all three of these, and this post starts with updating your software.

What threats do frequent updates protect against?

As Columbia’s Steve Bellovin has said, “Software has bugs. Security software has security-relevant bugs.” Because software has bugs and, importantly, the software used on your devices to secure those devices have bugs, we need to regularly update that software to fix those bugs, or devices quickly become insecure.

Updates are particularly important because attackers often use so-called “zero-days” to attack your computer. A zero-day is a software vulnerability that no one aside from the attacker previously knew existed. Since no one else knew it existed, there are no defenses against it. Anti-virus software can only identify viruses it has seen, similar to how your body only produces antibodies for diseases it has encountered before. An attacker with a particularly nasty zero-day can take over your computer, and aside from regularly updating your software, there is no way to protect against such attacks.

How are updates created?

Once the underlying bug is reported to the company or discovered in malware (malicious software) that is spreading in the wild, software manufacturers can develop and then issue a “patch” (a small software update) which will fix the zero-day vulnerability. Unfortunately, these software updates can be studied and reverse-engineered; that is, other, less-skilled attackers can examine a patch and glean from it how to exploit the vulnerability being patched, then deploy that same vulnerability against other systems which have not yet been patched.

Keep in mind that the internet is not like the physical world. In the real world, a thief can walk up to your front door and jiggle the handle. A hacker can “jiggle the handle” on millions of computers per second. When an attacker finds an unlocked door (and unpatched computer), they can come walking in. For example, the second Tuesday of the month is known to IT professionals as “Patch Tuesday” — the day when Microsoft releases their software patches. The following day is known as “Exploit Wednesday“, since within a day hackers have examined the software patch, discovered the underlying vulnerabilities, weaponized them into exploits, and deployed them against unpatched systems.

How can we make updates great again?

If you don’t like software updates, you’re not alone. Research done by Vaniea et al. has shown that users dislike software updates for a number of reasons, firstly because they lose their place when they restart their computers. Second, security updates are also often bundled together with updates which can change a piece of software’s interface, making it difficult for users to accomplish their tasks.

Automatic updates can help solve this usability issue: software can be automatically updated, and what programs and files you were using are noted and reopened upon restart. Developers can also make sure that any user interface changes made via an update can be rolled back by users who may prefer the previous interface.

Why Undermining Trust in Updates Harms Security

However, automatic updates require users to trust their software maker. In addition to usability issues, consumers need to be confident that software updates will enhance their security, not undermine it. This means giving updates to all users (not just those who paid for your software), and only using update mechanisms to deliver updates. Software updates must never be used to deliver backdoors.

When your computer is hacked, you aren’t the only person that can be harmed. Your computer can be used to launch attacks on other computers, some of which may be in businesses, government facilities, and hospitals. By patching as many machines as possible, the spread of computer viruses can be limited. Microsoft now issues security updates to all Windows computers, even those running pirated software.

Why Updates Matter – A Real-World Example

Back in the early days of the internet, a vulnerability known as the “ping of death” was discovered. The ping of death referred to a malformed PING packet that could knock machines offline.

Initially the ping of death was mostly used for juvenile pranks like knocking opponents offline during online games. However, what if the systems knocked offline had been in a bank or a hospital? What sounds like a simple prank could have had some serious implications — luckily, most critical devices were “dumb” in the 90s or not networked. (Personally, I love my dumb watch.)

But as the Internet of Things becomes more popular, as fridges and televisions become “smart”, this opens up new vulnerabilities. What happens when a manufacturer stops issuing security updates for their refrigerator? It means an attacker can, at a minimum, disable your device. At worst they will completely control it — they will see the data it contains, and access its sensors, microphones, cameras, etc. If it was a stove, they may be able to start a fire. If it was a heating or cooling system, they may be able to cause your home to freeze solid or reach uncomfortably hot temperatures.

With all of this in mind, whether you just own your own laptop or administer an entire network, keeping your software up-to-date is the first line of defense against criminals, terrorists, and state-level surveillance, all of whom have researched, deployed, and used these sorts of exploits.