Software updates are always announced at the worst possible time. A couple of weeks ago, I had about 30 tabs open across three different Chrome windows, Firefox open as it works better for a coded TV stream, Adobe and unsaved documents open whilst flipping between work, holiday planning and a chat app. Suddenly … the update notification appeared: “Restart to install updates?” No chance. “Try later?” For the tenth time, I responded – yes, later, knowing I could be busy then too!
Updates are often bundled together with important security patches. Of course, many of us don’t think about this. Instead we think, “Why does Adobe need updating again? I can view PDFs correctly.” or we ask ourselves: “What is Java anyway? Is it malware?”
Some upgrades are welcome, such as when a favourite app gets a cool feature, but most updates are a source of frustration. Particularly when things are supposed to improve and features increase and we can’t work out how to use them. Examples I can recall are iTunes becoming difficult to navigate, Windows 8 functionality being removed, new Mac OS not working, and MS Excel several times with new features.
Updates are a hugely important part of keeping ourselves secure. So much so that installing them was the top ranked item needed to stay safe on-line amongst security experts when asked by researchers at Google.
Software development entails a cat and mouse type process as the developers seek to assure protection from those who would abuse or break the processes. Software companies do not wait for everything to be tested fully and sometimes make mistakes. Updates are released after some quality assurance and subsequently bugs are found and some of these create vulnerabilities a hacker can use to access your device and wreak varying amounts of havoc.
Companies often identify these issues themselves and some even offer so-called “bug bounties” whereby outside contributors are paid for responsibly disclosing security flaws to the software manufacturer. Google have formed a group to improve internet software development that identifies bugs in software and notifies the creating company of the details. With a view to keeping all users safe online they offer 90 days to the company to fix the bug before publishing details. To date all bugs have been fixed prior to publication!
However sometimes the worst does happen: the bug is discovered because a hacker exploits it.
We put off rebooting. We turn down installations. We don’t want to be interrupted for fear this could be another bad IT experience, and everything might even stop working. It is a balancing act between security and usability.
One way companies have dealt with this is to hide the whole update process with automatic updates and forced installs. However, this risks annoyance amongst users, further detachment and even less willingness to go along with update prompts than there is now.
Bug fixes that mend the vulnerabilities are released in the form of software updates and these may be bundled with new functionality. Ignoring means benefits of both are lost. Users don’t update because it’s perceived as not needed and the importance and benefits are not appreciated. Developers want to maintain fewer versions of software whilst retaining on-line security. A stand-off ensues and both parties are worse off.
The solution is to find better ways of communicating with users about the security benefits of accepting updates quickly and to find less intrusive ways of offering or installing the updates. Microsoft already enable Windows updates to be largely scheduled by the user during the night.
This blog is intended to boost the communication element – install updates a few days after release to keep safe, and help keep others safe, on-line.