Turn On Auto-Updates Everywhere You Can
Credit to Author: Brian Barrett| Date: Fri, 08 Mar 2019 21:18:06 +0000
This week, Google announced that it had patched a wicked vulnerability in Chrome, by far the most popular browser in the world. Not only that, the search giant also confirmed that hackers had been actively exploiting the bug, in tandem with one found in Windows. Soon after came a wave of reports imploring people to update Chrome right now. But thanks to Google’s embrace of auto-updating its software, for most people it was already taken care of.
Software updates are a pain no matter how you shake it. The MacOS prompts never leave you alone. Automatic Windows 10 updates ask you to restart your PC at the least convenient times. And fresh versions of iOS seem to brick phones every couple of years. You’d be forgiven for wanting to just forget the whole thing.
Don’t! Keeping your software up to date is the easiest way to protect yourself from hackers, and letting it happen automatically is the best way to guarantee that it actually happens. “As a security practitioner, I am a strong advocate for auto-updates, especially when it comes to consumers,” says Jérôme Segura, head of threat intelligence at security firm Malwarebytes.
Take the case of the recent Chrome zero-day vulnerability. Rather than forcing a pop-up on however many millions of open browsers, prompting all of those users to install a patch, which many of them would likely have put off or ignored, Google’s security team just pushed the fix. Done. Well, almost done: In this case, because the attack targets actual Chrome code and not that of a plug-in like Flash, you still have to restart the browser to effect the change. It’s a significantly lower bar, though, and one that’s going to keep substantially more people safe than an elective update would have.
“My impression is that most people don’t want to think about security. It’s more of a burden than anything,” says Josiah Dykstra, technical director at the National Security Agency. “Even if they say they want to be secure, they either don’t have the expertise or the desire to do a lot of work.” Nor should you have to.
There are some clear exceptions here. Plenty of medical and industrial systems can’t apply updates blindly; any unintentional bugs could result in catastrophe. And people who tinker with their software—security researchers, hobbyists, and so on—are rightly careful about any changes they introduce to their devices. Those are cases in which the cure can genuinely be worse than the disease.
But for your average smartphone or laptop owner? Go auto-update all the way. Yes, you’ll run into some performance hiccups, but they’re worth it for the overall peace of mind. In fact, thinking of it in terms of those trade-offs puts the onus on you rather than the companies that push out faulty patches. Spend that energy demanding more from Apple and Microsoft and Google and whoever else is responsible for shaping your digital experience.
“The vendors need to do a better job of vetting the patches before they go out and providing an emergency rollback on the end-user side,” says Gene Spafford, a computer scientist at Purdue University and prominent cybersecurity researcher who cowrote an essay last year with Dykstra about so-called disappearing cybersecurity. A mechanism like that would help quickly undo any worst-case scenarios versus forcing you to wait for the fix to the fix. Which, it should be noted, also needs a fix sometimes.
Fortunately, Windows 10 auto-updates by default. Apple offered it as an option for the first time in iOS 12, but you have to opt in. To do so, head to Settings > General > Software Update > Automatic Updates and toggle over to turn them on. As for Android—and as with all things on Android—it depends on what device you’ve got, but generally speaking you have to wait until you get a notification that an update is ready for you in order to install it.
And then there’s the Wild West of the internet of things. Many IoT devices lack not only automatic updates but any way to update software at all. That especially is a shame, because there’s no category of device that would benefit more from constant, hands-off improvement than those that have no real interface to speak of. The last thing you should have to worry about is your webcam shouting bomb threats at you.
“That’s an area of concern. If IoT devices have vulnerabilities, they’re going to be widespread,” Spafford says. “We don’t have a climate yet that really holds [manufacturers] responsible to better behavior.”
The good news is, the wider consumer-tech industry is starting to embrace auto-updates more. If there’s a silver lining to security meltdowns like the Chrome bug, it's that it draws attention to the upsides of a set-it-and-forget-it approach for most casual consumers of technology that goes beyond just getting the latest bells and whistles first.
“If people see the value in auto-updates, they generally tend to see the value in product stability for features more than security,” Dykstra says. “The security benefit is a very hard thing for consumers to see.”
All the more reason to make the whole process as invisible—and painless—as possible.