3 min read

Software Patching Too Much Trouble For Most

Automated software patching, common among enterprises, is making its way onto consumer PCs.
The U.S. government is so flummoxed by the insecurity of computers that it has launched a contest to find someone who can create an effective way to educate people about computer security.

It's clear there's a problem. Recent legal action in Spain and in Virginia against the Mariposa botnet and the Waledac botnet, two of the ten largest botnets that controlled tens of millions of hijacked computers, offers a reminder of just how many compromised computers are out there. These aren't just personal computers either; many of the infected machines have been found in major corporations and banks.

While education can reduce the number of malware infections by helping users to understand that the joke in e-mail messages with subject lines like "LOL! Check this out!" is on the recipient, in the form of malware, the defensive value of timely patching shouldn't be overlooked.

The problem with patching, unfortunately, is that it's too much trouble for the average user. A research paper by Stefan Frei, research analyst director at Secunia, and Thomas Kristensen, CSO at Secunia, released earlier this week at the RSA Conference, finds that the complexity and frequency of patching software vulnerabilities tends to exceed what users are able and willing to invest.

According to Frei and Kristensen, 50% of users have software from more than 22 different vendors that are affected by at least 75 security advisories issued by Secunia every year.

"Thus, a typical end-user has the daunting task to administer his host approximately 75 times a year (or every 4.8 days), thereby handling approximately 22 different update mechanisms to keep his/her system secure," the paper states.

The obvious solution to this problem is a single automated update mechanism.

Automated updating is not free from controversy. Typically it takes place without real-time notice and consent, relying instead on past notice and consent. It's generally not a problem when done by a trusted party, but there's still some potential for misuse.

Apple has already caught on to the benefits of automated updates, as can be seen in the way it updates software for iPhones and iPods through iTunes. Users don't have to make much of an effort to keep all the software on their iPhones and iPods up-to-date.

Google has realized this too. The always-up-to-date status of Google Apps has long been a selling point, as it is with any cloud-based software. The company also keeps its desktop software like Google Pack and Google Chrome up-to-date using an automatic update mechanism.

Secunia is the latest company to advocate this approach. That's unsurprising, given that Frei co-authored a paper demonstrating the effectiveness of Google's automatic browser updates prior to joining Secunia, when he worked at Swiss Federal Institute of Technology (ETH Zurich).

Kristensen says that in the coming months, Secunia will release software that will "forever will change the updating experience on Microsoft Window systems."

Secunia plans to launch a technology preview of Automatic Updating for private users, which will be incorporated into its Personal Software Inspector (PSI) 2.0.

Mac OS X and Linux users will have to continue to patch their software manually for the time being. But they don't really face the same attention from cybercriminals as Windows users.