The short answer: Updates are worthless if one does not apply them.
Once again I find myself cleaning malware off of a home user’s Microsoft based notebook PC. Once again, while it has anti-virus software installed it was infected by a “drive-by attack” from a web page. It was infected with the Antispyware Soft fake anti-malware nag and FUD software. The installed Norton Antivirus, which is up to date, did nothing to stop this attack and was then disabled after the malware got on the system. What happened?
As I type this article the notebook PC’s Microsoft system is downloading and applying updates. Many updates. At least a couple of years of updates. Maybe more than that. The IE browser was pre-IE8 and was not patched with security updates even then. The Firefox browser, which is set as the default, was also not up to date. If the system had not been infected and given into the care of my company to clean up it would likely never see another software update applied. Even though the system was set to download and apply updates automatically, the scheduled time was set for 3:00 AM. A time when this notebook PC owned by an older lady will never be on.
Unfortunately, on consumer desktop and notebook PC systems we in the IT community that services this market often find that software updates are not applied. This includes all software updates, not just those that apply to security flaws in software. It seems that in general people with home computers fall into these categories:
- Ignorant that updates are needed to protect their PC from malware and fix known bugs in the software. These people never apply updates even if notices are popping up to inform them of updates. If the PC is infected they may be blissfully unaware they are using an infected PC.
- Aware that updates are needed but lackadaisical about applying them. These folk put off updates for many reasons, but mainly because it is inconvenient to apply updates.
- Aware that updates are needed and apply them regularly.
- Absolutely fanatical about making sure updates are applied as soon as they are available.
It appears from my experience that the majority of non-technical end-users who end up with infected systems fall into the first category. The second category is a smaller group that have just been lucky to not yet have an infected PC. These two categories of users are almost all Microsoft operating system users. The latter two categories are the small group of users that are more technical and/or security conscious. The more security conscious but non-technical are usually those who have had to deal with a prior PC infection. The latter two categories rarely or never see an infection. The Open Source community of Linux users is generally more technical at this point and thus more likely to take updates seriously.
The main problem as I see it is one of education. A lack of training that emphasizes the importance of getting and applying software updates as soon as possible. Ignorance rather than sloth. There is no government required training course or license to use a PC as there is to drive a car. But I am not calling for government regulation because most government regulations are already too invasive and burdensome. The world needs less government and more personal responsibility, not more government oversight. The answer does not lie in some government regulation.
What can we do about this problem? I can think of at least two.
- Those of us who sell to consumers PC systems with popular operating systems installed could take the time to explain to our customers the importance of software updates. We can make that part of the sale (Are you listening Dell? HP? Best Buy? WalMart?) instead of just “selling” Microsoft, Apple or Linux based PC systems and leaving the end-user ignorant. Instead of selling anti-malware as the answer to all malware woes we can be honest and admit that no software is able to make a PC perfectly safe (especially not Microsoft’s operating systems). Then emphasize the importance of getting and installing software updates as they become available. Inform the customer that security is a process, including an awareness of the need for security updates, not a product. Sure, there are still those consumer end-users who will not “get it” and will still not apply updates. But more people being made aware of the importance of software updates will mean more people are likely to take updates seriously and apply them.
- Automate all updates by default in software on systems expected to be purchased and/or used by the average consumer. Even major updates like XP Service Pack 3 (do not change the original license terms thus requiring end-user agreement, Microsoft, and you can do this too). Then setting such automated updates to apply at some time when the computer is likely to be on. Perhaps default scheduling of the updates to start after the system has been on for half an hour instead of some fixed time in the wee hours of the morning when most home PC systems are off. With FOSS systems that use online software repositories this would mean almost all the software would be updated. The exceptions would be software that the user got outside the repositories. Yes, make this the default but leave options for the user to schedule updates or disable updates altogether. The user that has no clue will be a bit more protected by this proactive approach. The user that already is aware of the need for security processes will be able to handle this just fine.
Oh yes, if an automatic update that applies every update is selected we can be sure there will occasionally be hiccups in the process. The end-user should be informed of this probability up front. Not unpleasantly surprised after the fact.
If any of you have some interesting ideas about making average end-users aware of the importance of applying updates please feel free to post a comment. Comments that average end-users are all “morons” are unwelcome. Try to be a bit more thoughtful than that.
Unique accesses to this article:
|free hit counter|
Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.