Why software updates make us WannaCry - TechCentral

Why software updates make us WannaCry

The global ransomware attack called “WannaCry” could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The attack’s spread demonstrates how hundreds of thousands of computers in more than 150 countries are running outdated software that leaves them vulnerable.

The security flaw that allowed the attack to occur was fixed by Microsoft in March. But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers who said they had stolen the information from the US National Security Agency.

Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us.

Updating is a pain

All people had to do to stay safe from WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their experiences of installing software updates.

Nearly half of them said they had been frustrated updating software; just 21% had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently — always the second Tuesday of every month, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant — and doubtless many others — avoids installing updates for “as long as possible”.

Some people may also be concerned that updating software could cause problems with programs they rely on regularly. This is a particular concern for companies with large numbers of computers running specialised software.

It can also be very hard to tell whether a new update is truly necessary. The software that fixed the WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that people ignore repeated security warning messages. Consequently, these monthly updates may be especially easy to ignore.

The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on 14 March, including the WannaCry fix, half were rated “critical”, and the rest were labelled “important”. That leaves users with little information they could use to prioritise their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.

Even security experts struggle to prioritise. The day the fix was released, Microsoft watcher Chris Goettel suggested prioritising four of the 18 updates — but not the one fixing WannaCry. Security company Qualys also failed to include that specific update in its list of the most important March updates.

Security pros, and everyone else

The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only 64% of security experts update their software automatically or immediately upon being notified a new version is available. Even fewer — just 38 percent — of regular users do the same.

Another research project analysed software-update records from 8,4m computers and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: from the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.

Making updates easier

Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts.

Software companies are working on making updates more seamless and less disruptive. Google’s Chrome Web browser, for example, installs updates silently and automatically — downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.

That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.

So, computer companies must try to convince us — and we must convince ourselves — that updates are important.The Conversation

  • Elissa Redmiles is PhD student in computer science, University of Maryland
  • This article was originally published on The Conversation
  • Valis

    I really don’t understand why people still use rubbish like Windows. If everyone would just switch to open-source software their wouldn’t be any problem.

  • Greg Mahlknecht

    It’s nice to be able to be able to run the tools necessary to do your job, or send/receive documents to others and keep formatting intact. A blanket statement like “rubbish like Windows” is so naive and short-sighted.

  • Valis

    I’m an MCSE. Windows *is* rubbish. I have thirty years experience with that broken rubbish, hardly naive.
    If formatting concerns you, Linux supports Windows document formats that *Windows* doesn’t even support any more. Also, being open-source, there are millions of devs patching it on a daily basis, unlike Windows. FOSS is the only secure software that there is. Methinks you are the one who is naive…

  • Greg Mahlknecht

    I think the last few years devastating security holes in OSS that went unnoticed, sometimes for decades, has put that “many eyes” theory to rest. Closed source’s “security by obscurity” isn’t perfect, but the other extrme “the baddies can see the insecure source” is also obviously problematic. I’ve also got in the region of 30 years experience with many OSes. They all have their strengths and weaknesses, and to just label any “rubbish” really is silly.

    Even if windows WAS rubbish, your original question *is* naive – if you really don’t understand why people use it, then what have you been doing for 30 years?

  • Valis

    Experience as a “user” is not quite the same as being a Microsoft Certified Software Engineer. Doing something for a living doesn’t necessarily mean you like it!

    Clearly you’re not familiar with the term “rhetorical”.

  • Greg Mahlknecht

    >Doing something for a living doesn’t necessarily mean you like it!

    No, but it certainly helps… I’ve been a professional coder for 2 decades+ and have coded for many platforms in many languages, and use Windows/C#/Visual Studio by choice. I actually like my job – using the (IMO) best coding tools on a very coder-friendly OS has gone a long way towards that. I don’t look back on my years of coding in java and/or *nix as happy times, even though they paid for my house.

    >Clearly you’re not familiar with the term “rhetorical”.

    Hey, sometimes it’s just fun to poke the bear 🙂

  • Valis

    Ah, that explains it, a Windows fanboi 😉

    I have previously developed my own operating system, I know what a well-written os looks like, and Windows ain’t it! Seriously, Windows is complete rubbish, a badly written mess.

    You’re entitled to your own opinion, as am I, but the “naive” comment was way out of line. If you have to resort to ad-hominem attacks right from the start then you’ve already lost the argument.

  • Greg Mahlknecht

    I think the “naive” comment is as valid as ever. The reason people use Windows is because it’s the only OS that allows them to do their job effectively a lot of the time. I can’t see what you can disagree with there?

    If “everyone switched to open source” we’d have a big issue – the engineering world would pretty much fall apart, productivity software would take a decade+ leap backwards, you couldn’t use Google, Android would be severly crippled (a lot of the good stuff is closed source) – the list goes on.

    We need both models to keep the other honest, and each has their application. In the past few years, OSS software has had as many critical breaches as closed source, and this isn’t going to get much better with nation-states having literal armies of coders trawl through the source looking for holes and not disclosing them (the “disclosure” part is the part that makes OSS secure, without that, the open source nature of code becomes a con, not a pro).

    I don’t know if you’re following a lot of these OSS audits that are being sponsored in the wake of all the breaches they’ve suffered, but it’s quite clear that OSS isn’t the bastion of awesomeness that it’s presumed to be.

    Not at all a Windows fanboy, just a satisfied customer that has the necessary knowledge to make an informed decision.

  • Alexis_Zenios

    “I’m an MSCE.” Careful, we have a badass here.

  • James Francis

    Tell me about it. One word: drivers.

  • William Stucke

    > If formatting concerns you, Linux supports Windows document formats
    Yes. Badly. So much so that my team members using OSS make content edits, but have given up making formatting edits in a particular large document we’re working on now. It’s really slowed down the process. Try using Tracked Changes …