Software security has always been a moving target, but it seems to be moving faster than ever. New vulnerabilities are discovered and exploited every day, and missing an update for a browser, messaging client, phone or even code editor can prove disastrous.
Developers and publishers of software and hardware know this better than anyone - but frustratingly, they seem to have concluded that while security is important, it’s much more important that the user believes they’re safe. If a security update contains more than a slight hint that the software in its current state is insecure, they fear the user might decide that the problem is the product, not the growing and evolving threat landscape.
Consequently, security updates tend to disguise themselves as feature rollouts or plain bugfixes - you’ll often need to google your way to the release notes to read the list of CVE’s addressed in a patch.
Not knowing their security is at risk, many users stay on vulnerable versions of products for months while their update notification unobtrusively whispers “hey, this is totally not important but could you apply me when you have the time please”. And that’s assuming they even receive a notification in the first place.
This situation is clearly not ideal. Let's fix it!
Auto Update Utopia
Imagine a different reality, filled with updates and flowers, where all software is magically on the latest version and you hardly had to do anything to achieve it. The update button doesn’t even exist anymore, because it’s all handled for you.
Automated patch retrieval, statistically determined per-device update windows, safe metrics-based rollout strategies, patch and update mechanisms standardized at the OS level, clear and honest security update messaging - each of these things already exist in some form or another.
The world of unobtrusive, automated, well-tested and standardized update systems is within grasping distance. All we need to do is gather all the lessons we’ve learned along the way, and use them to create a sane set of public standards.
And there definitely have been lessons:
Risks of Auto-Patching
While the benefits clearly outweigh them, automated updates bring their own unique set of risks and occasionally spectacular failure states - as demonstrated by the NotPetya attack in 2017, and more recently the 2024 Crowdstrike incident.
As auto-update adoption increases, we should expect to see some additional astonishing failures as software, hardware and IOT vendors choose to learn their auto-update lessons the expensive way.
The price of these failures is still worth it, because:
The Legislators Are A-Comin’
If a cultural problem persists long enough, inevitably laws will appear to address it. Additionally, with global conflicts and an ever-growing cybercrime problem, the pressure on legislators is increasing rapidly. As is their job, they will in turn look for ways to pass their pile of problems on to the people who can be motivated to solve them, via carrot or stick. The proposals so far indicate they’re all out of carrots.
- The UK IoT security act of April 2024 requires IOT vendors to provide secure update mechanisms.
- The recently updated EU Directive on Liability for Defective Products makes consumer software vendors liable for damages caused by insecure practices, including bad or non-existent update mechanisms.
- The White House occasionally tries to achieve similar results in the US, but hasn’t quite gotten there yet.
These are likely only precursors, heralding stricter regulation down the line.
As we’ve seen with GDPR, it really is in everyone’s interest to improve our bad practices before legislators get heavy-handed.
So here’s my ask to software developers and consumers alike: Could everyone pretty please become fervent auto-update activists?
With a bit of effort we can avoid the dark and looming future where software update mechanisms are mandated via a strict and complicated regulatory framework, which is met by a mix of malicious compliance and least-effort implementations.
And since I know that won’t work, here’s my plea to lawmakers:
When the time comes to wield the legislative hammer, search the lands far and wide for the greybeards who've been through this a few times already. Apply those extra layers of due diligence so we can land on something that only angers and annoys those who genuinely preferred an insecure solution.
